What is Trusted Domains?
Trusted Domains is a Valimail integration that connects to your Microsoft 365 (Azure) tenant and pulls in the full list of domains your organization owns. Valimail compares those domains against the ones currently configured in your account, so you can quickly find unprotected domains and bring them under DMARC, SPF, and DKIM coverage.
Why this matters
Microsoft 365 customers often manage a much larger portfolio of domains than what is configured in Valimail. These additional domains are tracked in Microsoft as the tenant's domain list, a set of domains your organization has verified and uses for email or other services. When those domains are not enrolled in Valimail, they remain unprotected from DMARC-based attacks and represent a gap in your email security posture.
The Trusted Domains report closes that gap by automatically reconciling your Microsoft domain list with what you have configured in Valimail.
How the integration works
At a high level, the integration is a one-time, consent-based connection between Valimail and your Microsoft 365 tenant. Once connected, Valimail reads your domain list from Microsoft Graph and surfaces a comparison report inside the application.
What gets installed in your tenant
When you connect, a Valimail-published object is created in your Microsoft tenant. There are no other changes to your environment.
App Registration. An App Registration is created in your Azure tenant. The App Registration is the object that holds Valimail’s read-only access to your domain list.
Permissions are domain-only. Valimail requests the minimum scope required to read the list of verified domains in your tenant. We do not request access to mail content, mailboxes, users, files, or directory data.
No secrets or passwords are exchanged. The connection is established through the standard Microsoft consent flow; Valimail never asks for, sees, or stores your administrator credentials.
What Valimail does with the data
Reads your verified domain list from Microsoft Graph on a regular cadence.
Stores each domain in Valimail along with its current status: new (just discovered), configured (already enrolled in Valimail), or ignored (you chose to dismiss it).
Surfaces the data in the Trusted Domains report so you can review, ignore, or add domains to your Valimail account in a few clicks.
Who can connect
Required role: The user who completes the connection must be an Administrator in the Azure tenant you are connecting to (typically a Global Administrator or a Privileged Role Administrator who can grant tenant-wide consent). After the initial connection, the App Registration runs on its own — the admin who installed it does not need to stay in the loop.
Connecting your tenant
From the Valimail app, upon clicking Connect, you will be taken to an onboarding flow to complete the following steps to connect Trusted Domains to your Microsoft 365 tenant.
Open the Integrations page and locate the Trusted Domains card.
Click Connect on the card. A new tab opens with on-screen instructions.
Copy the line of text shown in step 1 of the onboarding page. You will paste it into the Azure Cloud Shell in a moment.
Click the link to open the Azure Cloud Shell — a terminal that runs inside the Azure portal.
Paste the line you copied and run it. The script takes about 25 seconds to complete and creates the App Registration in your tenant.
Return to the Valimail onboarding tab. The next step — Grant permissions — is now enabled.
Click Grant permissions. Microsoft displays a consent screen asking you to authorize Valimail to read domains in your tenant. Review and accept.
You are returned to the Valimail onboarding page with a success confirmation. The Trusted Domains report appears in the sidebar within a few minutes once data has been pulled.
Transparency built in
On the onboarding page, you can: (1) open the exact script that will run in your Cloud Shell to inspect it before you paste, and (2) after consent, jump directly to the App Registration in your Azure portal to verify that only the permissions Valimail requested are assigned.
What you’ll see in the Trusted Domains report
Once data has been pulled, the report appears in the Valimail sidebar and is split into two sections so you can act quickly:
Section | Description |
Not in Valimail | Domains found in your Microsoft tenant that are not yet set up in Valimail. Add any of them to your account directly from this list, or mark them as ignored if they are not in scope. |
In Valimail | Domains found in your Microsoft tenant that are already enrolled in Valimail. Use this view to confirm coverage and reconcile against your Microsoft source of truth. |
Each domain row includes the underlying Microsoft properties (such as whether the domain is verified, default, or initial), so you can make informed decisions without leaving the report.
Data, security, and privacy
Read-only, domain-scoped access. Valimail can only read the list of verified domains in your tenant. We cannot read mail, mailboxes, users, groups, files, or directory contents.
No credentials stored. The integration uses the Microsoft consent framework. There are no passwords or secrets exchanged with Valimail.
Tenant-controlled. Because the App Registration lives in your tenant, you can audit, restrict, or remove it at any time directly from the Azure portal.
Disconnect on your terms. Removing the App Registration in Azure terminates Valimail’s access immediately. See the companion article “Trusted Domains: How to disconnect the integration” for step-by-step instructions.
Availability
The Trusted Domains report is currently available through Valimail Labs and rolling out to additional accounts over time. If you do not see the Trusted Domains card on your Integrations page, contact your Valimail account team to request access.
Frequently asked questions
Does this give Valimail access to our email or users?
No. The integration is scoped to read your domain list only. Valimail cannot read mail, mailboxes, users, groups, or any other directory content.
Will this change anything in our Microsoft tenant?
The only object created is a Valimail-published App Registration that holds the read-only consent. Nothing else in your tenant is altered, nothing will run in the tenant, there are no costs associated, and no domains are modified in Microsoft.
How often is the data refreshed?
Valimail re-reads the domain list every time the report is opened.
What happens if we lose admin access to the tenant or the App Registration is removed?
If the App Registration is deleted or its consent is revoked, Valimail loses access on the next call. The Trusted Domains card on the Integrations page will return to a disconnected state and offer the option to reconnect.
How do we disconnect?
Disconnecting is done from the Azure portal by deleting the Valimail App Registration. The Trusted Domains integration card includes a direct link to that page in your tenant. For full instructions, see the companion article: Trusted Domains: How to disconnect the integration.
Need help?
If you run into issues during connection, or want help interpreting the Trusted Domains report, contact Valimail Support through the in-app messenger or your Account Manager.