I have two completely separate tenants in Azure. PROD tenant hosts a zone in Azure DNS. I want to delegate a subdomain (sub-zone) to a DEV tenant also running Azure DNS. Is this supported? If yes - how do I do it?
If this isn't supported, then what would be a sane and secure way to grant users in DEV tenant to edit DNS records for that subdomain in the PROD tenant?
Yes, it is possible.
Public DNS knows nothing about accounts, tenants, providers, etc. You can have DNS servers in different Azure tenants, different cloud providers, etc. Delegation is managed by DNS resource records pointing to other public DNS servers.
Create/configure a DNS server to serve the child zone. Make note of the DNS server's IP addresses. Then create NS (Name Server) resource records in the parent DNS server.
It is that simple. I am leaving out advanced features such as DNSSEC, but that is a whole topic to itself.
