An Azure service that provides hosted, universal storage for Azure app configurations.
Hello Enrico Rossini,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
I understand that your Azure can't find microsoft-identity-association.json.
With your kind of explanation, image and scenario provided, I will classify this into two scenarios where this can happen instead of secondary issues:
Scenario 1: If the domain is verified in a different Microsoft Entra tenant than the app registration.
The reason it fail is because Microsoft Entra doesn’t allow a root domain to be verified in more than one tenant at a time. If contoso.com is already verified elsewhere, it cannot be re-verified in the current tenant. - https://learn.microsoft.com/en-us/entra/identity/users/domains-manage
What you can do are the followings:
- Recreate the app registration in the tenant that already owns the verified domain
- In Microsoft Entra admin center, switch to the tenant where the domain is verified (Directories + subscriptions). - https://learn.microsoft.com/en-us/entra/identity-platform/howto-configure-publisher-domain
- Create a new App Registration in that tenant and reapply the settings (redirect URIs, API permissions, certificates/secrets).
- Update your application configuration to use the new Application (client) ID.
- Verify a separate subdomain in the current tenant, then use it as the publisher domain Microsoft explicitly supports verifying a subdomain in a different tenant, even when the root domain is verified in another tenant (for example,
europe.contoso.com). - https://learn.microsoft.com/en-us/entra/identity/users/domains-manage- Go to Entra ID → Domain names → Add custom domain and add a subdomain (e.g.,
id.contoso.com). - https://learn.microsoft.com/en-us/entra/identity/users/domains-manage - Create the requested DNS TXT record with your DNS provider and complete verification. - https://learn.microsoft.com/en-us/entra/identity/users/domains-manage
- Then set it on the app: App registrations > (your app) > Branding > Publisher domain > Update domain > Select a verified domain and choose the verified subdomain. - https://learn.microsoft.com/en-us/entra/identity-platform/howto-configure-publisher-domain
- Go to Entra ID → Domain names → Add custom domain and add a subdomain (e.g.,
NOTE: The /.well-known/microsoft-identity-association.json file is a domain verification method inside the current tenant’s app registration flow, not a way to “reuse” a domain verified in another tenant. - https://learn.microsoft.com/en-us/entra/identity-platform/howto-configure-publisher-domain, https://learn.microsoft.com/en-us/entra/identity/users/domains-manage
Scenario 2: The domain is in the same tenant, but publisher domain verification still fails.
You’re already in the correct tenant, but the verification check can fail if the JSON file isn’t exactly what Entra expects, or if the endpoint response metadata isn’t acceptable.
Perform Step-by-step validation checklist in order:
- Confirm the tenant actually has the domain verified by
- Go to Entra ID > Domain names and confirm the domain shows Verified. - https://learn.microsoft.com/en-us/entra/identity/users/domains-manage
- If the domain is verified, you can usually skip web-host verification and simply select the verified domain from the dropdown. - https://learn.microsoft.com/en-us/entra/identity-platform/howto-configure-publisher-domain
- If you must “Verify a new domain for your app”, use the exact JSON structure Create a file named:
microsoft-identity-association.jsonas in https://learn.microsoft.com/en-us/entra/identity-platform/howto-configure-publisher-domain Use this validated JSON (replace placeholders with real client IDs):{ "associatedApplications": [ { "applicationId": "<YOUR_APPLICATION_CLIENT_ID>" } ] }Tip: If you’re validating the same domain for multiple apps, include multiple
applicationIdobjects in the array. https://learn.microsoft.com/en-us/entra/identity-platform/howto-configure-publisher-domain - Host the file at the required “well-known” path (HTTPS)
- Publish it exactly here:
https://<your-domain>/.well-known/microsoft-identity-association.jsonhttps://learn.microsoft.com/en-us/entra/identity-platform/howto-configure-publisher-domain - This uses the industry-standard
/.well-known/convention (RFC 8615). https://www.rfc-editor.org/rfc/rfc8615
- Publish it exactly here:
- Ensure the response Content-Type is supported:
- Microsoft Entra expects JSON deserialization and explicitly lists supported response headers such as:
-
application/json -
application/json; charset=utf-8- https://learn.microsoft.com/en-us/entra/identity-platform/howto-configure-publisher-domain
curl -i https://<your-domain>/.well-known/microsoft-identity-association.jsonYou should see HTTP 200 and a supportedContent-Type. - Retry verification from the portal
- App registrations > (your app) > Branding > Publisher domain > Configure/Update domain > Verify and save domain - as-is in the above link.
- After it succeeds, you can remove the hosted file. Microsoft states you don’t need to keep the verification resources after the domain is verified. - https://learn.microsoft.com/en-us/entra/identity-platform/howto-configure-publisher-domain
I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.