CloudSOC Primary DNS Domain Configuration Rules and Common Error Causes
Overview
When creating a new CloudSOC (CASB) tenant, you must specify a Primary DNS Domain.
This domain defines the organizational identity and is critical for user association, authentication, and email communication within CloudSOC.
If the domain is configured incorrectly, the Enterprise Console may display a status of “Error” or “In Progress” indefinitely.
The following sections describe the configuration rules, restrictions, and the most common causes of provisioning failures.
1. The Primary DNS Domain Must Match the Administrator’s Email Domain
The domain entered in Primary DNS Domain must match the email domain of the account used to access the Enterprise Console.
✅ Example:
- Administrator account:
admin@company.com- Valid Primary DNS Domain:
company.com- Invalid:
corp.local,company.net, etc.
If the domain does not match, CloudSOC cannot verify organizational ownership and provisioning will fail.
2. A Primary DNS Domain Cannot Be Duplicated Within the Same SaaS Account ID
Each Primary DNS Domain is unique per SaaS Account ID.
You cannot create multiple CloudSOC tenants with the same Primary DNS Domain under a single SaaS account.
⚠️ Example:
If a CloudSOC tenant already exists with the domainexample.com, you cannot create another tenant usingexample.comas the Primary DNS Domain again.
This ensures domain-level uniqueness and prevents user identity conflicts across tenants.
3. A User Can Belong to Only One Tenant (One Primary DNS Domain)
Each CloudSOC user can belong to only one tenant that corresponds to a single Primary DNS Domain.
If you attempt to create a new tenant using an account that already belongs to another tenant, provisioning will fail.
❌ Example:
- User
john.doe@company.comalready belongs to an existing CloudSOC tenant.- Attempting to create a new tenant using the same account will result in an error.
To create a new tenant, use an account that does not belong to any existing CloudSOC instance.
4. The Primary DNS Domain Cannot Be Changed After Creation
Once the Primary DNS Domain is set, it cannot be modified.
If your organization changes its email domain (for example, from company.com to newcompany.com), you must add the new one as a Secondary Domain.
5. Unsupported or Restricted Domains
Some domain types are not supported for use as Primary or Secondary domains.
| Domain Type | Status | Reason |
|---|---|---|
.local | ❌ Not supported | Not routable on the Internet; prevents system email delivery |
onmicrosoft.com | ❌ Not supported | Considered a Microsoft service domain, not an organizational domain |
Public corporate domain (e.g., company.com) | ✅ Supported | Fully routable and verifiable |
| Already-registered Primary DNS Domain | ❌ Not supported | Must be unique within SaaS Account ID |
If your chosen domain falls under a restricted type, CloudSOC provisioning will fail.
6. Common Error Scenarios
Cause 1: The User Already Belongs to Another Tenant
A user account can be associated with only one tenant (Primary DNS Domain).
If an existing user account is used to create a new tenant, provisioning will fail.
Resolution:
Use a different account that does not belong to any existing CloudSOC tenant.
Cause 2: Primary DNS Domain Does Not Match the Administrator’s Email Domain
The domain entered during configuration must exactly match the domain part of the administrator’s email address used to access the Enterprise Console.
Resolution:
Ensure that both domains match before retrying the provisioning process.
Cause 3: Duplicate Primary DNS Domain
A single SaaS Account ID cannot have two tenants with the same Primary DNS Domain.
If another tenant already uses the same domain, the system will reject it.
Resolution:
Check existing tenants in the same SaaS account. If necessary, contact Broadcom Support to confirm domain ownership or request a release.
Cause 4: Restricted or Unsupported Domain
Domains that are internal-only (.local), service-domain (onmicrosoft.com), or otherwise restricted will cause provisioning failure.
Resolution:
Use a valid, publicly routable corporate domain.
Summary of Key Rules
| Rule | Description |
|---|---|
| Must match admin’s email domain | The domain used in the Enterprise Console login account must match the Primary DNS Domain |
| Cannot be duplicated | Each Primary DNS Domain must be unique per SaaS Account ID |
| User-to-tenant relationship | A user can belong to only one tenant (one Primary DNS Domain) |
| Cannot be changed | The Primary DNS Domain is fixed once provisioned |
| Restricted domains | .local and onmicrosoft.com are not supported |
Recent Comments