使用 Azure Active Directory 门户添加自定义域名Add your custom domain name using the Azure Active Directory portal

每个新的 Azure AD 租户都附带了一个初始域名 <domainname>.partner.onmschina.cnEvery new Azure AD tenant comes with an initial domain name, <domainname>.partner.onmschina.cn. 无法更改或删除初始域名,但可以添加组织的名称。You can't change or delete the initial domain name, but you can add your organization's names. 添加自定义域名有助于创建用户所熟悉的用户名,例如 alain@contoso.comAdding custom domain names helps you to create user names that are familiar to your users, such as alain@contoso.com.

准备阶段Before you begin

添加自定义域名之前,请在域注册机构处创建域名。Before you can add a custom domain name, create your domain name with a domain registrar. 有关认证的域注册机构,请参阅 ICANN 认证的注册机构For an accredited domain registrar, see ICANN-Accredited Registrars.

在 Azure AD 中创建目录Create your directory in Azure AD

获取域名后,可以创建第一个 Azure AD 目录。After you get your domain name, you can create your first Azure AD directory. 使用具有订阅“所有者”角色的帐户登录到目录的 Azure 门户。 Sign in to the Azure portal for your directory, using an account with the Owner role for the subscription.

遵循为组织创建新租户中的步骤创建新目录。Create your new directory by following the steps in Create a new tenant for your organization.

Important

租户的创建者将自动成为该租户的全局管理员。The person who creates the tenant is automatically the Global administrator for that tenant. 全局管理员可将其他管理员添加到租户中。The Global administrator can add additional administrators to the tenant.

有关订阅角色的详细信息,请参阅 Azure RBAC 角色For more information about subscription roles, see Azure RBAC roles.

Tip

如果你打算将本地 Windows Server AD 与 Azure AD 相联合,则需要在运行 Azure AD Connect 工具同步目录时选中“我计划将此域配置为使用本地 Active Directory 进行单一登录” 。If you plan to federate your on-premises Windows Server AD with Azure AD, then you need to select I plan to configure this domain for single sign-on with my local Active Directory when you run the Azure AD Connect tool to synchronize your directories.

还需要在向导的“Azure AD 域”步骤中注册选择用于与本地目录进行联合的域名 。You also need to register the same domain name you select for federating with your on-premises directory in the Azure AD Domain step in the wizard. 若要大致了解该设置,请参阅验证选择用于联合的 Azure AD 域To see what that setup looks like, see Verify the Azure AD domain selected for federation. 如果没有 Azure AD Connect 工具,可在此处下载If you don't have the Azure AD Connect tool, you can download it here.

将自定义域名添加到 Azure ADAdd your custom domain name to Azure AD

创建目录后,可以添加自定义域名。After you create your directory, you can add your custom domain name.

  1. 使用目录的全局管理员帐户登录到 Azure 门户Sign in to the Azure portal using a Global administrator account for the directory.

  2. 在任意页面中搜索并选择“Azure Active Directory”。 Search for and select Azure Active Directory from any page. 然后选择“自定义域名” > “添加自定义域”。 Then select Custom domain names > Add custom domain.

    “自定义域名”页,其中显示了“添加自定义域”

  3. 在“自定义域名”中,输入组织的新名称(在本示例中为 contoso.com)。 In Custom domain name, enter your organization's new name, in this example, contoso.com. 选择“添加域”。 Select Add domain.

    “自定义域名”页,其中显示了“添加自定义域”页

    Important

    若要正常完成此过程,必须包含 .com.net 或其他任何顶级扩展名。You must include .com, .net, or any other top-level extension for this to work properly.

    将添加未验证的域。The unverified domain is added. 此时将出现“contoso.com”页,其中显示了 DNS 信息。 The contoso.com page appears showing your DNS information. 请保存此信息。Save this information. 稍后需要使用此信息来创建 TXT 记录以配置 DNS。You need it later to create a TXT record to configure DNS.

    包含 DNS 条目信息的“Contoso”页

将 DNS 信息添加到域注册机构Add your DNS information to the domain registrar

将自定义域名添加到 Azure AD 之后,必须返回到域注册机构,并添加已复制的 TXT 文件中的 Azure AD DNS 信息。After you add your custom domain name to Azure AD, you must return to your domain registrar and add the Azure AD DNS information from your copied TXT file. 为域创建此 TXT 记录可以验证域名的所有权。Creating this TXT record for your domain verifies ownership of your domain name.

返回到域注册机构,根据复制的 DNS 信息为域创建新的 TXT 记录。Go back to your domain registrar and create a new TXT record for your domain based on your copied DNS information. 将生存时间 (TTL) 设置为 3600 秒(60 分钟),然后保存记录。Set the time to live (TTL) to 3600 seconds (60 minutes), and then save the record.

Important

可以注册任意数目的域名。You can register as many domain names as you want. 但是,每个域将从 Azure AD 获取其自身的 TXT 记录。However, each domain gets its own TXT record from Azure AD. 在域注册机构处输入 TXT 文件信息时请小心。Be careful when you enter the TXT file information at the domain registrar. 如果输入了错误或重复的信息,则必须等到 TTL 超时(60 分钟)才能重试。If you enter the wrong or duplicate information by mistake, you'll have to wait until the TTL times out (60 minutes) before you can try again.

验证自定义域名Verify your custom domain name

注册自定义域名后,请确保它在 Azure AD 中有效。After you register your custom domain name, make sure it's valid in Azure AD. 将信息从域注册机构传播到 Azure AD 有时可以瞬间完成,有时需要几天时间,具体取决于域注册机构的状况。The propagation from your domain registrar to Azure AD can be instantaneous or it can take a few days, depending on your domain registrar.

若要验证自定义域名,请执行以下步骤:To verify your custom domain name, follow these steps:

  1. 使用目录的全局管理员帐户登录到 Azure 门户Sign in to the Azure portal using a Global administrator account for the directory.

  2. 在任意页面中搜索并选择“Azure Active Directory”,然后选择“自定义域名”。 Search for and select Azure Active Directory from any page, then select Custom domain names.

  3. 在“自定义域名”中选择自定义域名。 In Custom domain names, select the custom domain name. 本示例选择了“contoso.com”。 In this example, select contoso.com.

    “Fabrikam - 自定义域名”页,其中突出显示了“Contoso”

  4. 在“contoso.com”页上,选择“验证”以确保自定义域已正确注册并且在 Azure AD 中有效。 On the contoso.com page, select Verify to make sure your custom domain is properly registered and is valid for Azure AD.

    包含 DNS 条目信息和“验证”按钮的“Contoso”页

验证自定义域名后,可以删除验证 TXT 或 MX 文件。After you've verified your custom domain name, you can delete your verification TXT or MX file.

常见验证问题Common verification issues

如果 Azure AD 无法验证自定义域名,请尝试以下建议的方法:If Azure AD can't verify a custom domain name, try the following suggestions:

  • 至少等待一小时,然后重试Wait at least an hour and try again. 必须先传播 DNS 记录,Azure AD 才能验证域。DNS records must propagate before Azure AD can verify the domain. 此过程可能需要一小时以上。This process can take an hour or more.

  • 确保 DNS 记录正确。Make sure the DNS record is correct. 返回到域名注册机构站点。Go back to the domain name registrar site. 确保该条目已存在,并且它与 Azure AD 提供的 DNS 条目信息相匹配。Make sure the entry is there, and that it matches the DNS entry information provided by Azure AD.

    如果无法在注册机构站点上更新记录,请与有权添加条目并验证其正确性的某人共享该条目。If you can't update the record on the registrar site, share the entry with someone who has permissions to add the entry and verify it's correct.

  • 确保域名尚未在另一目录中使用。Make sure the domain name isn't already in use in another directory. 只能在一个目录中验证域名。A domain name can only be verified in one directory. 如果域名当前已在另一个目录中验证,则不再可以在新目录中验证该域名。If your domain name is currently verified in another directory, it can't also be verified in the new directory. 若要解决此重复问题,必须从旧目录中删除该域名。To fix this duplication problem, you must delete the domain name from the old directory. 有关删除域名的详细信息,请参阅管理自定义域名For more information about deleting domain names, see Manage custom domain names.

  • 确保你没有任何未托管的 Power BI 租户。Make sure you don't have any unmanaged Power BI tenants. 如果你的用户通过自助注册激活了 Power BI 并为你的组织创建了一个非托管租户,那么你必须使用 PowerShell 以内部或外部管理员的身份接管管理。If your users have activated Power BI through self-service sign-up and created an unmanaged tenant for your organization, you must take over management as an internal or external admin, using PowerShell.

后续步骤Next steps