Can anyone correct an intuition (that may be wrong!)
After launch, I struggled to make Azure AD talk to ADFS (as IDP proxy). Validating the domain was the hard part, since I though it correct to use the console's UI. The latter gives certain types of CNAMES to stick in the DNS RR, of course. I could not make this work. Using powershell, however, I made a variant of domain-validation work. The powershell commands output another variant set of CNAME mods for the DNS RR (and have command options to induce validation thereof).
Is the Azure AD Console's Domain Validation REALLY THERE FOR SP-side domain validation (vs IDP-proxying domain validation)?
Is it targeting validation of those SAAS-domains hosting SAAS-apps - able to leverage the "external" features of a "master" Azure AD tenant (that controls which "slave" tenants are authorized to provision themselves as asserting parties to a new tenant within the SAAS app AT THE VALIDATION DOMAIN (only).