SUMMARY AND BACKGROUND
Customers can purchase a Microsoft 365 subscription direct with GoDaddy along with their primary domain. When this occurs, GoDaddy federates this domain and tenant, making it unable to transfer under the CSP program or Direct to Microsoft. Moving and defederating this account has been a major pain point and area of confusion which this blog post addresses.
In the solutions proposed in this guide you can perform the following:
- Defederate the tenant without migrating
- Never have to call GoDaddy
- Keep user accounts vs deleting them
- Have no downtime
High level-steps:
A. Prepare your End Users
B. Become a Tenant Admin in GoDaddy
C. Remove Federation with GoDaddy
D. Reset Users Passwords
E. Add a CSP Provider or Move Direct to Microsoft
F. Provision Licensing into the Account
G. Remove GoDaddy as Delegated Admin
H. Cancel GoDaddy Subscription
Prepare Your End Users
- Defederating requires users to reset their passwords in order to be able to login to their account. You will need to have a password list to distribute to them or have them provide you passwords beforehand. You could just reset them all to a temporary password after federation and then they can change to whatever they want after.
- Define a date and time in which you will be defederating. I recommend during non-business hours even though there is no downtime in mail flow with this solution. Provide end users with this information.
- Since users may run into activation prompts within their office apps and outlook during the license transition, provide them documentation for how to sign back in after the license switch has taken place. For office apps they can simply go to File>Account>Sign Out>Sign In.
- In outlook, users will be prompted to re-enter their new password after its changed:
Become a Tenant Admin in GoDaddy
When a user sets up a 365 account directly with GoDaddy, they set up the initial user as an “admin” user but this user is redirected to the GoDaddy portal when trying to access the admin tab when going to Office.com. For this reason, we need to gain access to the true Global Admin so that we can perform the necessary powershell scripts to defederate the tenant.
- Login to Portal.Azure.com with the admin user that was set up when the account was first created and click on the 3 lines in the top left corner
- Click on Azure Active Directory. Then click on Users when the new tabs open up
- Here you should see a user label with admin@.onmicrosoft.com Ex:
Click on this user and reset their password. If you already have access to this user, you can disregard this step.
Once you have copied the temporary password, place it in a notepad and open an incognito window in the browser. In the browser, go to office.com and sign in with that username and temporary password. Establish a new password. With this completed, you now have a user that can run the necessary powershell commands in the future steps.
Remove Federation with GoDaddy
We can use the following PowerShell cmdlets to defederate the tenant. Note that you need to run PowerShell as administrator.
Write-Host "Checking for MSGraph module..." $Module = Get-Module -Name "Microsoft.Graph.Identity.DirectoryManagement" -ListAvailable if ($Module -eq $null) { Write-Host "MSGraph module not found, installing MSGraph" Install-Module -name Microsoft.Graph.Identity.DirectoryManagement } Connect-MgGraph -Scopes "Directory.Read.All","Domain.Read.All","Domain.ReadWrite.All","Directory.AccessAsUser.All" #Enter the Admin credentials from "Become a tenant Admin in GoDaddy" Get-MgDomain #See that the domain is “federated”# Update-MgDomain -DomainId "<InsertFederatedDomain>" -Authentication Managed
An example of a DomainId is “tminus365.com”. This would be the domain that was listed as federated that you want to covert to managed. After this is complete you will get a new commandline. You can run Get-MgDomain again and see that your domain is now “managed”.
Supporting CMDLET docs:
Reset Users Password
##########Connect to MsGraph##########
Write-Host "Checking for MSGraph module..." $Module = Get-Module -Name "Microsoft.Graph.Users.Actionst" -ListAvailable if ($Module -eq $null) { Write-Host "MSGraph module not found, installing MSGraph" Install-Module -name Microsoft.Graph.Users.Actions } Connect-MgGraph #Enter the Admin credentials from "Become a tenant Admin in GoDaddy" ############# Define CSV path of Users and Group ################## $UserPath = Read-Host -Prompt "Enter File Path For CSV list of users" #####Create CSV template with headers of Userprincipalname and Password####### Import-Csv -Path $UserPath |%{Update-MgUserPassword -UserId $_.UserPrincipalName –NewPassword $_.Password}
Add a new Provider and Provision Licensing
Now that the tenant is defederated, you can add a CSP provider with their delegated admin link or go direct to Microsoft.
For CSP:
Paste the appropriate link in a browser and sign into the tenant with the Global Admin credentials if you are not already logged in. Accept the relationship. After the acceptance, reload the page and you will see a new CSP listed.
Order licensing for this customer. If you are not changing the subscription, then all you would need to do is provision the same amount of seats as you have today, remove them as delegated admin, and cancel with GoDaddy. There is no other action that would be required. License ownership would transfer and there will be no downtime for users.
If you are changing the subscriptions that are assigned to users (i.e. you are moving them from Business Standard to Business Premium as an example) you will need to perform the following steps:
- Order the licensing from CSP
- See the licensing provisioned in the 365 Tenant for this customer under Billing>Your Products
- Go to Users>Active Users and bulk assign the new licensing from CSP and unassign the licensing from GoDadddy.
- Remove GoDaddy as Delegated admin
- Cancel the GoDaddy subscription in the GoDaddy admin portal.
For Microsoft Direct:
- In the Microsoft Admin Portal, go to Billing>Purchase Services
- Purchase the licensing you want to have for your users
- Follow the same steps as CSP to Assign licenses to users if you have changed their subscription type. (i.e. Moving from Business Standard to Business Premium).
Remove GoDaddy as Delegated Admin and Cancel Subscription
In the 365 Admin Portal
Under Settings>Partner Relationships>Click on GoDaddy and remove their roles:
In GoDaddy, cancel the renewal:
Conclusion
From here, the subscription from GoDaddy will expire at end of term and that is all. You now have a tenant under CSP with all of the typical management functionality you are familiar with. Hope this provided some targeted guidance on defederating a GoDaddy tenant! Please share with the community!
Bonus: SharePoint URLs
- You would want to update the default URLs to reflect the tenant domain
The video below is a bit outdated but still gives you some visual context about what to do. Continue to follow the steps above as some of the powershell scripts shown are no longer necessary. I will look to update this video in the near feature.
This was a big help. I did run into a couple of issues in the PowerShell.
I had to run these two commands again after Enable-OrganizationCustomization
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session
Then before Import-module msonline would work, I had to run Install-Module MSOnline
Thanks for you help.
Thanks for the feedback Grant. I updated the post here to reflect using the ExchangeOnline v2 cmdlets and added a piece to the script that looks for Msonline module before running anything else.
I got the following error when I tried to assign application impersonation.
You don’t have access to create, change, or remove the “xxxxx.onmicrosoft.com\ApplicationImpersonation-admin”
management role assignment. You must be assigned a delegating role assignment to the management role or its parent in
the hierarchy without a scope restriction.
+ CategoryInfo : InvalidOperation: (xxx.o…rsonation-admin:ADObjectId) [New-ManagementRoleAssi
gnment], InvalidOperationException
+ FullyQualifiedErrorId : [Server=BN6PR22MB0308,RequestId=f6bb6263-13f1-4d1a-98da-0e7117e3d907,TimeStamp=2/19/2021
7:24:29 PM] [FailureCategory=Cmdlet-InvalidOperationException] 5281C25D,Microsoft.Exchange.Management.RbacTasks.N
ewManagementRoleAssignment
+ PSComputerName : ps.outlook.com
Hi, Kevin!
Did you solve this error? I got the same
Kevin, I had the same on the test account I setup. Try adding either a -Name “MyMigrationImpersonation_orwhateveryouwanttocallit” to the command. Like this: New-ManagementRoleAssignment -Name “MyMigrationImpersonationxxx” -Role “ApplicationImpersonation” -User admin@NETORGXXXXXXXXX
If that still fails, you can also assign application impersonation via the exchange gui admin panel inside godaddy.
see here: https://support.cloudm.io/hc/en-us/articles/360008478499-Setting-up-Application-Impersonation-for-Exchange-or-Office-365
Yes, need to run Install-Module MSOnline before running Import-Module MSOnline. That’s the only change I made. I also couldn’t leave RemoteSigned ExecutionPolicy but it worked regardless.
Worked great… Ran into this when trying to enable Org Customization.
PS C:\WINDOWS\system32> Enable-OrganizationCustomization
This operation is not required. Organization is already enabled for customization.
No issues with the defederation though.
Instead of resetting passwords I was hoping to use AD Connect, however none of my users will sync… despite the UPN suffix’s, email address, and account name matching (tried proxyaddress as well, but no difference). AD Connect is giving the “AttribValueMustBeUnique” error. Looks like I’ll have to reset their passwords, then figure out why AD Connect isn’t syncing another time.
Bill
Follow up…
Solved the sync issue by overwriting the immutableID. Seems the cloud accounts already had it set. Not sure if that’s due to the previous GoDaddy relationship, or not.
$credential = Get-Credential
Connect-MsolService -Credential $credential
$ADUser = “username”
$365User = “username@emaildomainname.com”
$guid =(Get-ADUser $ADUser).Objectguid
$immutableID=[system.convert]::ToBase64String($guid.tobytearray())
Set-MsolUser -UserPrincipalName “$365User” -ImmutableId $immutableID
It looks like as of April 1 (we had a client sign up for a new Office 365 tenant with GoDaddy) they federate the NETORGFT domain too, so I was unable to login via PowerShell
Hey Patrick, if you follow the steps you can create a separate admin in the account and login with the custom domain to PS. Defederating both domains would still be possible
Do you have to have a CSP or can they just buy the licenses directly in O365?
They can buy them directly as well
HUGE HELP!! Just what I was looking for. Thank you!!
Hi,
I have followed your guide, and got as far as New-ManagementRoleAssignment -Role “ApplicationImpersonation” -User “admin@mytenant.onmicrosoft.com”
I have successfully run Enable-OrganizationCustomization, but when I run New-ManagementRoleAssignment -Role “ApplicationImpersonation” -User “admin@mytenant.onmicrosoft.com” it tells me that I first need to run Enable-OrganizationCustomization if i run it again i get the following
Enable-OrganizationCustomization
This operation is not required. Organization is already enabled for customization.
+ CategoryInfo : NotSpecified: (:) [Enable-OrganizationCustomization], InvalidOperationException
+ FullyQualifiedErrorId : [Server=CWLP265MB0836,RequestId=86fd113a-2bd1-404d-b712-1361c5abd582,TimeStamp=28/04/202
1 11:49:05] [FailureCategory=Cmdlet-InvalidOperationException] 8D806BDF,Microsoft.Exchange.Management.Deployment.E
nableOrganizationCustomizationTask
+ PSComputerName : outlook.office365.com
New-ManagementRoleAssignment -Role “ApplicationImpersonation” -User “admin@mytenant.onmicrosoft.com”
The command you tried to run isn’t currently allowed in your organization. To run this command, you first need to run
the command: Enable-OrganizationCustomization.
+ CategoryInfo : NotSpecified: (:) [New-ManagementRoleAssignment], InvalidOperatio…ontextException
+ FullyQualifiedErrorId : [Server=CWLP265MB0836,RequestId=5f237c45-d616-4f76-addd-d8010f11a836,TimeStamp=28/04/202
1 11:48:44] [FailureCategory=Cmdlet-InvalidOperationInDehydratedContextException] 386271AD,Microsoft.Exchange.Mana
gement.RbacTasks.NewManagementRoleAssignment
+ PSComputerName : outlook.office365.com
Hey Tim, thats odd. I would close powershell>Open a new window as admin>Connect-ExchageOnline and try again here with just the New-ManagementRoleAssignment cmdlets.
i am getting this same issue but even with different computers i’m getting stuck in the loop, plus it wont let me create this via the GUI either.
This help immensely! Thank you so much. I am in the process of merging two companies with the main being in GoDaddy. I was afraid it was going to be a process to move the main company and their Teams and SharePoint. Thanks again!
Any pointers or anything I need to be aware of? I am trying this next week for a client 🙂
Will post results!
How did you go Chris? I am also planning to do this in two weeks time.
Thank you so much for posting this! I just successfully de-federated a client and this was a huge timesaver. The only issue I had was this section of your script to remove GoDaddy’s federation:
Set-MsolDomainAuthentication -DomainName “” -Authentication Managed
I got an error because I didn’t look carefully enough to realize I had to insert the domain inside the quotes. I ran that line by itself afterward and verified it was then “managed.”
The best part was removing GoDaddy’s roles in the 365 admin settings and cancelling the renewals. Thanks again!
Would like to attempt this but have a question about existing licenses purchased through GoDaddy. Will they stay in the tenant account after defederation? I’m specifically asking about annual licenses.
They will but a best practice would be to move to a different provider like MS direct
We are running into an issue with not being able to connect our third party CSP due to the “companyname.onmicrosoft.com” domain not having been created. We’ve attempted to add in the domain and have access to the DNS hosting service(GoDaddy) to create the required records but keep getting an error that Microsoft is unable to detect the updated DNS records to verify domain ownership.
You would need to just add a custom domain that you own. Something with a .com, .org, .net etc. You will never have access to create a .onmicrosoft verification
Hi,
Hope someone can help me on this.
My godaddy account only has three mailboxes.
Can I create a new tenant on 365 and delete the godaddy tenant after but keep the DNS and domain service with godaddy?
Of course I will backup all the mailboxes to pst file before removing the goddady tenant.
Do I still need to performance any type of migration?
No migration is required if you follow the steps i outlined here. You can keep your domain hosted with Godaddy, you’d just be cancelling the 365 services
Very good article. I have been waiting to migrate from GoDaddy for almost a year. THis will make it easy. One question, if I purchased my office licenses and my tenant is directly thru Microsoft. The article says to add a “CSP with their delegated admin link…”. Do I still need to do that or can I purchase the licenses directly at Microsoft?
Any help or info is greatly appreciated.
Paul
you can purchase direct through Microsoft. CSP isnt required
I don’t see a way to remove specifically the godaddy licenses and add the MS direct licenses I purchased. Purchasing MS Direct licenses just added “unassigned” licenses to the license count. Do I need to wait a while for something to update or am I missing something?
Once the licenses with GD expire the ones you get direct will automatically reassign to users as long as the license type is the same.it typically is a waiting game for the licenses to drop off from GD
Thank you soooo much for this guide. I was just about to use BitTitan to do the migration before I saw your article. I am going to do this next week and had a question on the CSP side. I set up my client in my CSP portal, but did not do the “Confirm MCA acceptance” part yet. Can/Should I do this before I do the defederation or do I need to wait until after? And I am assuming that I have to wait until after defederation to do the customer invitation part too?
Thanks again for putting this guide out there!
Hey Ken! Appreciate the support. I wouldnt do it till after, should be a simple step to complete as well once you’ve regained full access.
Hi,
Godaddy told me that I would need to delete all email accounts (end users) associated with my domain if I want to setup email with Microsoft (for free under a program for nonprofits). Godaddy said that this was a necessary step in order to “defederate “of my domain. They claimed that defederation would start automatically once I deleted all of the emails (from our godaddy account). Its been nearly 2 days since deletion and microsoft’s site is still saying that my domain is still linked to a microsoft organization that is associated with godaddy. Can someone help/advise me on how to get my domain released from godaddy so that I can set up email accounts using a microsoft tenant? It seems that the level of help godaddy provides varies from customer to customer. Actually, I am getting pushed back and forth between MS and godaddy reps. Is the defederation process something that godaddy controls or is it a process that has to play out over servers across the internet. It it’s the later, why on earth would it not be done in 48 hours (seems like plenty of time). Thanks
Hey sorry you went through this experience. This is the precise reason i created the article you have here. They don’t know the defed process and different teams at their org will tell you different stories. Were you able to get this sorted out?
I would just like to say a big THANK YOU for this write-up, incidentally if you are not ready to de-federate, don’t set the domain to Managed because if you try to set it back to Federated, it will fail and require a case to be opened with GoDaddy who will then proxy the case with Microsoft which will take 7-10 business days. I found out the hard way, the good news is mail continues to work and files are accessible, but if you attempt to login to webmail.godaddy.com it will SSO assert identity and then Microsoft’s login service will throw a federated exception saying the domain can’t be found. I ended up buying a direct O365 license via Microsoft, reset the original Godaddy email account via portal.azure.com, assigned the new license and voila, all is good. I have to delete the Godaddy subscription but the cutover was SMOOTH!!!!!
Hey Wes, thanks for sharing your experience! Good to know
Can we create another account with global admin role from the portal.azure.com in advance instead of resetting the password of the first admin account before the defederation? Is there a consequence of doing this? I will be doing a migration in Nov and some ideas may help me prepare.
You can totally do that. There is no downside
I was having issues initially when following your SharePoint guide, but they saw I no longer needed to run the “$Session= New-PSSession -ConfigurationName M…” command that I was getting access denied on, so instead I just followed the above section under “Remove Federation with GoDaddy”. When running this I was able to change the custom domain from Federated to Managed. I was then able to get into the M365 Admin portal without issue. Thank you for this!
My customer also had ProofPoint added to their subscription from GoDaddy. So I had to update the DNS records to have the MX records go directly to O365 instead of ProofPoint. I also need to remove the transport rule and outbound connector directing outbound email to ProofPoint in the Exchange Admin Center.
The issue I am having now is that I cannot add my company and my indirect reseller. After clicking on my link while logged in as the tenants global admin, I get an error that says “Try that again later. We couldn’t set up your partner relationship.” after accepted the agreements and clicking on Accept & authorize. I have opened a ticket from Microsoft unless anyone has seen this?
Thanks again for this, so far it is much better than migrating and depending on GoDaddy to release the domain in a timely manner!
Ryan
Hey Ryan, haven’t really run across that but could just be a point in time with MS that it wasn’t going through. Were you able to get this resolved?
Thanks for the reminder about the GoDaddy customers who’ve added Proofpoint and removing the corresponding transport rule + send connecter in the Exchange admin console!! We defederated two such domains months ago, but lately they had been getting multiple rejections when sending to certain domains. The server rejecting the messages was always ppe-hosted.com or pphosted.com (Proofpoint), error was either 554 5.0.0, ” is not allowed to send mail from , please see the SPF record”, or 554 5.7.0 “email rejected per SPF policy”. I finally checked back on this thread to see if anyone else had the issue, and your comment was a lifesaver.
Sure enough, the transport rule and send connector for Proofpoint were still there in the Exchange console for the two domains we defederated. What a headache this has been, and thanks again.
So after the defederating process can all admin users access the Admin portal again?
Yes, it strips away their front end and puts things back to normal.
Awesome write-up. Thank you for taking the time to post this and with such great detail. I’ll be doing this next week for a client. Hoping all goes well.
Question: can GoDaddy cancel and wipe these accounts simply by me defederating the domain? Or that script is initiated once you cancel the licenses and keep them on with CSP relationship? Also, what can go wrong by doing this? Is the only potential risk GoDaddy deleting the account? If so, the way to mitigate this is just by removing their relationship and adding your own licenses?
Thanks!
Hey Mike, GD cannot have access to do anything as long as you have removed their delegated admin rights and reset passwords on admin accounts originally created in the tenant. From experience, if you had not done these steps and just cancelled the subscription, they would blow away all the users (which was a recoverable action, just a pain). I hope your migration went well!
Hey! Thanks for the response. Things went well. I am curious as to how to get the GoDaddy licenses to stop showing on my M365 admin center. I am trying to use the same type of license on my new dash but GoDaddy’s seem to be stuck here and I cannot purchase the commercial direct ones to apply to a user because they are grouped with the GD ones.
What should I do? I cancelled renewal on the GD emails. Should I delete/purge them from GD too? Delete the “email” product on GD?
Thanks!
From my experience, it just takes some time for them to fall off within the admin center. This should not limit your capabilities of purchasing direct. If anything, you can have those licenses and you wouldn’t have to reassign the license to the user, it would just take the one that was active.
I will following the instruction here this weekend for a client. They have multiple forwarding rules created from different domains to the federated domain. Will the rules applied be somehow affected after defederation?
They shouldn’t be as long as none of them are rules related to AV filtering that you are also getting from GD
Hi,
Are there any implication for existing data stored within Teams? It would seem not but thought i’d best check as can’t risk losing access to their files.
thanks,
Matt
No, there is no risk of data being lost in Teams or any other suite offering like OneDrive or SharePoint
This was incredibly useful. THANK YOU!
Is there a reason why we need to change all the users’ passwords? Can’t we leave them as is?
Passwords need to be reset
Hello,
Thank you for your article.
I am supporting a Non-Profit that desires to move their GoDaddy O365 essential Emal service to MS 365 Business – Basic.
The Non-Profit has their Domain registered by GoDaddy for both a Web Page, and GoDaddy’s 365 essential Email services.
We have completed the process of obtaining the MS Grant, purchased the MS Non-Profit license, have access to the newly created onmicrosoft.com / generic Non-Profits 365 Portal, and created Global Admins for the Portal. The Non-Profit MS O365 Business license is properly listing in the new onmicrosoft.com 365 Admin Portal. The Non-Profit desires to leave the Domain Registrar with GoDaddy.
Is there any reason why the MS Add Domain process within the new MS 365 Admin Portal will not properly perform the automatic migration of the Email Domain from GoDaddy to MS, i.e. automatically adding the TXT, DNS, MX, and CNAME record updates to the GoDaddy Admin Portal? Any other insights and suggestions would be greatly appreciated.
You will have to migrate all mail to the generic .onmicrosoft domain first, performing a tenant to tenant migration. You cannot simply add the domain in the newly created tenant. It will give you an error and say it exist in another microsoft tenant. You basically have to migrate all data and decide a date/time to defederate the existing tenant with GoDaddy, strip the domain (which creates a window of downtime) and add it to the newly created tenant. I recommend using a tool like BitTItan to perform a tenant to tenant migration like this.
Hello!
Thanks a lot for the great write up. I noticed that in this set of instructions you no longer require “Enable Impersonation on GoDaddy”. Is this step no longer required? I saw where Bill mentioned that it didn’t need to be run but wanted to check for sure.
Also, if this step is still required can you accomplish the same thing by adding your GA user to the “ApplicationImpersonation” group in the Exchange Admin Center?
hey David! it is not required
Hi, do you happen to know if the last sentence of your blog also applies to SAML and directory integration of JumpCloud?
Quote:
If you intend to re-federate the tenant after moving off GoDaddy with an IDP like OneLogin, a tenant-to tenant migration is REQUIRED. If you try to federate with a 3rd party after defederating with GoDaddy, all admin users will be redirected to GoDaddy’s admin portal. Microsoft support confirms tenant to tenant migration is the only way around this process.
My guess is that it would be the same. You could still try this out before doing a migration where you would defederated, test, and if it doesnt work then do the tenant to tenant migration.
You sir, are my new hero. You made a painful process SO much easier. I just migrated a 3-mailbox customer to test out the process before using this procedure on a much larger customer next month. Thank you, thank you, thank you!
Danny
If they host their website on GoDaddy also can they just cancel the Microsoft subscription and keep the website hosted on GoDaddy?
I may have missed it in the video but also adding ourselves as their partners and purchasing their new license would just be a simple license switch from the admin center right?
Yea the sub has nothing to do with their domain or their website. And yea thats correct on the swap.
Question,
Will I still be able to access the original mailboxes in GoDaddy in case I need to get something or if say BitTitan did not get it?
Correct, you would.