Configuring supported services for Azure AD domain programatically

I’m pretty sure I covered this in the past, but I cannot seem to find the article, so let’s spam again. The task at hand is simple – configure the list of services for a given domain, or domain capabilities as it was known previously. This is usually done as one of the steps when initially adding/verifying the domain within your tenant, however in some cases you might need to make changes afterwards. And since the M365 portal continues to use this convoluted wizard thingy and fails to expose this setting, you will have to either use PowerShell or the Graph API.

Let’s start with PowerShell. The good old MSOnline module only allows you to see the current values configured, not change them, so it’s of no use here. The Azure AD module on the other hand does feature the -SupportedServices parameter for Set-AzureADDomain, so we can use that. Here’s an example of getting the current values and changing the associated services for one of the domains:

PS C:\> Get-AzureADDomain | select Name,SupportedServices

Name SupportedServices
---- -----------------
email.michev.info {Intune}
www.michev.info {Email, OfficeCommunicationsOnline, OrgIdAuthentication, Intune}
michev.info {Email, OfficeCommunicationsOnline, OrgIdAuthentication, Yammer, Intune}
michev.onmicrosoft.com {Email, OfficeCommunicationsOnline}
michev.mail.onmicrosoft.com {}

PS C:\> Set-AzureADDomain -Name email.michev.info -SupportedServices @("Email","Intune")

PS C:\> Get-AzureADDomain | select Name,SupportedServices

Name SupportedServices
---- -----------------
email.michev.info {Email, Intune}
www.michev.info {Email, OfficeCommunicationsOnline, OrgIdAuthentication, Intune}
michev.info {Email, OfficeCommunicationsOnline, OrgIdAuthentication, Yammer, Intune}
sb2.michev.info {Email, OfficeCommunicationsOnline, OrgIdAuthentication}
michev.onmicrosoft.com {Email, OfficeCommunicationsOnline}
michev.mail.onmicrosoft.com {}

Using the Graph API is another option. Let’s ignore the Microsoft Graph PowerShell module (or SDK as they call it) and do things directly via the Graph explorer, as it’s prettier 🙂

You will need to perform an Update domain operation, and for that you will need the corresponding Domain.ReadWrite.All permissions. The property we need to update is called supportedServices and is a string value. We can start by issuing a GET request against the /domains/{id} endpoint to check the current values. To change the supportedServices value, we can then issue a PATCH request with the following JSON payload:

{
"supportedServices": [
"Email"
]
}

A “204 – No Content” response indicates success, and we’re done. And so is this article 🙂

For anything important I might have missed, refer to the official documentation.

This entry was posted in Azure AD, Graph API, Microsoft 365, Office 365, PowerShell. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.