Office 365 records in Azure DNS

Getting started with an Office 365 tenant is easy enough. Just go to https://www.aka.ms/office365signup, choose your subscription, click the Try for free link, follow on-screen instructions and you’re off. If you just want to have a quick look around what Office 365 is all about and what features are available then this might be sufficient.

Things get interesting when you start personalizing your tenant. The first task is to get your domain name linked. You’ll need to prove ownership of this domain by creating a DNS record. More information about this on the Microsoft Documentation. This document also describes all the necessary records to set up your Office 365 tenant to your other applications such as Skype For Business, Teams and Mobile Device Management (MDM) - Intune.

Record overview

According to the Microsoft Documentation in the previous paragraph, we need these CNAME records.

A TXT record to set the Sender Policy Framework record. This record can be validated by one of these SPF validation tools

And finally two SRV records

Set them up!

Setting up these records might be cumbersome. Fear not! If you’re using Azure to host the domain name we can use a script to create the records.

<#
.SYNOPSIS
  Script to create Office 365 DNS records in Azure

.DESCRIPTION
  This script will create the records needed by Office 365 for a specific tenant in Azure

.PARAMETER DomainName
  Specifies the domain name where the records need to be created

.PARAMETER ResourceGroupName
  Specifies the resource group name in Azure

.PARAMETER MxToken
  Specifies the MxToken. This is a value like MSxxxxxxx and can be found in the Office 365 portal

.PARAMETER AutomationContextFile
  Points to the AutomationContextFile

.PARAMETER TXTVerificationRecord
  If specified, the script will create a TXT record with this value to prove domain ownership.

.NOTES
  Version:        0.1
  Author:         Sven de Windt
  Creation Date:  4/11/2018
  Purpose/Change: Initial script development

.EXAMPLE
  .\CreateO365DNSRecordsInAzure.ps1 -DomainName demotile.be -ResourceGroupName dns -MxToken MS123456 -TXTVerificationRecord MSQQDJFMLQSJDFLQSHPFHQPS -Verbose
#>

#Requires -version 3
#Requires -Modules AzureRm
#---------------------------------------------------------[Parameters]--------------------------------------------------------

[CmdletBinding()]
param(
    [parameter(mandatory = $true)][string]$DomainName,
    [parameter(mandatory = $true)][string]$ResourceGroupName,
    [parameter(mandatory = $true)][string]$MxToken,
    [parameter(mandatory=$false)][string]$AutomationContextFile,
    [parameter(mandatory=$false)][string]$TXTVerificationRecord
)

#---------------------------------------------------------[Initialisations]--------------------------------------------------------

# Set Error Action to Stop on every error
$ErrorActionPreference = "Stop"

# Dot Source required Function Libraries
#. "C:\Scripts\Functions\Logging_Functions.ps1"

#----------------------------------------------------------[Declarations]----------------------------------------------------------

# Script Version
$ScriptVersion = "1.0"

$TTL = 3600
$SPF = "v=spf1 include:spf.protection.outlook.com -all"

# Keep up with best practices
Set-StrictMode -Version latest
$ErrorActionPreference = "stop"

#-----------------------------------------------------------[Functions]------------------------------------------------------------

function get-AutomationContext (){
    Write-Verbose "Getting automation context"
    #$AutomationContextFile = "C:\_Repo\p3ops-tile\SvenTests\scripts\AutomationContext.json"
    $Context = Get-Content $AutomationContextFile | ConvertFrom-Json
    return $Context
}

#-----------------------------------------------------------[Execution]------------------------------------------------------------

Clear-Host
Write-Output "Start script - version $($ScriptVersion)"

Write-host "Logon to Azure"
Login-AzureRmAccount

Write-Verbose "Does the domain name $($DomainName) exist"

try{
    $RecordSet = Get-AzureRmDnsRecordSet -ZoneName $DomainName -ResourceGroupName $ResourceGroupName
    Write-Verbose "The zone exists in Azure"
} catch {
    Write-Error $_.Exception
}

# Txt record for domain verification and spam prevention
    Write-Output "Adding txt record $($TXTVerificationRecord) for domain verification and SPF record to prevent spam prevention"
    $Records = @()
    if ($TXTVerificationRecord){
        $Records += New-AzureRmDnsRecordConfig -Value $TXTVerificationRecord
    }
    $Records += New-AzureRmDnsRecordConfig -Value $SPF
    $RecordSet = New-AzureRmDnsRecordSet -Name "@" -RecordType TXT -ResourceGroupName $ResourceGroupName -ZoneName $DomainName -TTL $TTL -DnsRecords $Records -Overwrite
    Set-AzureRmDnsRecordSet -RecordSet $RecordSet | Out-Null

# MX record to route mail
Write-Output "Adding  MX record to route mail"
$Records = @()
$Records += New-AzureRmDnsRecordConfig -Exchange "$($MxToken).mail.protection.outlook.com" -Preference 5
$RecordSet = New-AzureRmDnsRecordSet -Name "@" -RecordType MX -ResourceGroupName $ResourceGroupName -ZoneName $DomainName -Ttl $TTL -DnsRecords $Records -Overwrite
Set-AzureRmDnsRecordSet -RecordSet $RecordSet | Out-Null

# Three CNAME records to locate services
Write-Output "Adding three CNAME records to locate services"
$Records = @()
$Records += New-AzureRmDnsRecordConfig -Cname "autodiscover.outlook.com"
$RecordSet = New-AzureRmDnsRecordSet -Name "autodiscover" -RecordType CNAME -ResourceGroupName $ResourceGroupName -ZoneName $DomainName -Ttl $TTL -DnsRecords $Records -Overwrite
Set-AzureRmDnsRecordSet -RecordSet $RecordSet | Out-Null

$Records = @()
$Records += New-AzureRmDnsRecordConfig -Cname "webdir.online.lync.com"
$RecordSet = New-AzureRmDnsRecordSet -Name "lyncdiscover" -RecordType CNAME -ResourceGroupName $ResourceGroupName -ZoneName $DomainName -Ttl $TTL -DnsRecords $Records -Overwrite
Set-AzureRmDnsRecordSet -RecordSet $RecordSet | Out-Null

$Records = @()
$Records += New-AzureRmDnsRecordConfig -Cname "sipdir.online.lync.com"
$RecordSet = New-AzureRmDnsRecordSet -Name "sip" -RecordType CNAME -ResourceGroupName $ResourceGroupName -ZoneName $DomainName -Ttl $TTL -DnsRecords $Records -Overwrite
Set-AzureRmDnsRecordSet -RecordSet $RecordSet | Out-Null

# Two CNAME records for Mobile Device Management (MDM)
Write-Output "Adding two CNAME records for Mobile Device Management (MDM)" 
$Records = @()
$Records += New-AzureRmDnsRecordConfig -Cname "enterpriseregistration.windows.net"
$RecordSet = New-AzureRmDnsRecordSet -Name "enterpriseregistration" -RecordType CNAME -ResourceGroupName $ResourceGroupName -ZoneName $DomainName -Ttl $TTL -DnsRecords $Records -Overwrite
Set-AzureRmDnsRecordSet -RecordSet $RecordSet | Out-Null

$Records = @()
$Records += New-AzureRmDnsRecordConfig -Cname "enterpriseenrollment-s.manage.microsoft.com"
$RecordSet = New-AzureRmDnsRecordSet -Name "enterpriseenrollment" -RecordType CNAME -ResourceGroupName $ResourceGroupName -ZoneName $DomainName -Ttl $TTL -DnsRecords $Records -Overwrite
Set-AzureRmDnsRecordSet -RecordSet $RecordSet | Out-Null

# Two SRV record for Skype For Business (SFB) - Teams
Write-Output "Adding two SRV record for Skype For Business (SFB) - Teams"
$Records = @()
$Records += New-AzureRmDnsRecordConfig -Priority 100 -Weight 1 -Port 443 -Target "sipdir.online.lync.com"
$RecordSet = New-AzureRmDnsRecordSet -Name "_sip._tls" -RecordType SRV -ResourceGroupName $ResourceGroupName -ZoneName $DomainName -Ttl $TTL -DnsRecords $Records -Overwrite
Set-AzureRmDnsRecordSet -RecordSet $RecordSet | Out-Null

$Records = @()
$Records += New-AzureRmDnsRecordConfig -Priority 100 -Weight 1 -Port 5061 -Target "sipfed.online.lync.com"
$RecordSet = New-AzureRmDnsRecordSet -Name "_sipfederationtls._tcp" -RecordType SRV -ResourceGroupName $ResourceGroupName -ZoneName $DomainName -Ttl $TTL -DnsRecords $Records -Overwrite
Set-AzureRmDnsRecordSet -RecordSet $RecordSet | Out-Null

I hope this script can save you time and frustration when setting up a tenant.