This guide provides a step-by-step process for organizations looking to defederate their Microsoft 365 accounts from GoDaddy, ensuring a smooth transition and minimal disruption to services.
Prepare Your End Users
- Defederating requires users to reset their passwords in order to be able to login to their account. Create a list of temporary passwords and share it with your technical contact or share with each individual user.
- Define a date and time in which you will be defederating. I recommend during non-business hours even though there is no downtime in mail flow with this solution. Provide end users with this information.
- Since users may run into activation prompts within their office apps and outlook during the license transition, provide them documentation for how to sign back in after the license switch has taken place. For office apps they can simply go to FileAccountSign OutSign In.
- In outlook, users will be prompted to re-enter their new password after its changed.
Why Defederate from GoDaddy?
Organizations may need to defederate from GoDaddy to gain more control over their Microsoft 365 environment, switch to a different provider, or align with new business requirements. This process involves several critical steps and can impact user access and services if not executed correctly.
Systems and Services Affected by Defederation
- Microsoft 365 tenant
- Azure Active Directory
- User accounts and passwords
- SharePoint URLs (potentially)
- Licensing and subscriptions
Step-by-Step Defederation Process
- Preparation Phase:
- Set a defederation date (preferably during non-business hours)
- Create and securely share temporary passwords for all users
- Instruct users on post-defederation login procedures
- Managing CSP and Licensing (Can be done before defederation):
- Add new CSP provider - this can be done before defederation as it only requires global admin role
- Order new licensing as appropriate for client's use case
- Note: New licenses can be preloaded before defederation to minimize transition time
- Gaining Admin Access:
- Log in to Azure Portal
- Reset admin@.onmicrosoft.com password
- Recommended: create a second global admin account to avoid accidental lockout
- Sign in with new credentials
- Executing the Defederation:
# Install required module Install-Module MSOnline -Force # Connect to Microsoft 365 Connect-MsolService # Get the federated domain $domain = Get-MsolDomain | Where-Object {$.Authentication -eq "Federated"} # Attempt to convert to Managed try { Set-MsolDomainAuthentication -DomainName $domain.Name -Authentication Managed -ErrorAction Stop Write-Host "Domain $($domain.Name) successfully converted to Managed" -ForegroundColor Green } catch { Write-Host "Failed to convert domain $($domain.Name) to Managed" -ForegroundColor Red Write-Host "Error: $($.Exception.Message)" -ForegroundColor Red } # Verify the change Get-MsolDomain | Where-Object {$.Name -eq $domain.Name} | Select-Object Name, Authentication
- Post-Defederation User Password Reset:
# Install required module Install-Module -Name Microsoft.Graph.Users.Actions -Force # Connect and authenticate Connect-MgGraph # Reset passwords from CSV Import-Csv -Path "users.csv" | ForEach-Object { Update-MgUserPassword -UserId $_.UserPrincipalName -NewPassword $_.Password }
- Managing GoDaddy Access and Licensing:
- Remove GoDaddy's delegated admin roles - This won't affect existing GoDaddy licenses
- Cancel GoDaddy subscription - Licenses will remain active until cancelled
- Note: GoDaddy may still show as "Other partner relationships" even after removing admin roles and cancelling subscriptions. At this point GoDaddy can only add licences, so it's not critical to remove this relationship.
- DNS and Email Authentication Setup:
- Review and update domain DNS management:
- Ensure you have access to manage DNS records (likely GoDaddy). If you're unsatisfied with the domain manager, consider pointing your name servers to CloudFlare.
- Check for and remove any duplicate SPF records (GoDaddy/client has created duplicates before)
- Configure domain settings in Microsoft 365:
- Go to Admin Center > Settings > Domains
- Check health, update MX, SPF, and other required records
- Set your primary domain as the default domain. This ensures new users get email addresses with your preferred domain. The default domain also becomes the reply-to address for users with multiple email addresses.
- Configure comprehensive email authentication:
- Enable DKIM signing in Microsoft 365 Defender Email & collaboration Policies & rules Threat policies Email authentication settings
- Set up DMARC monitoring and policy (use free services like Postmark or Cloudflare)
- If using additional email services (marketing, support tickets, etc.), include them in your SPF record
- If using GoDaddy's Advanced Email Security (Proofpoint):
- Remove Exchange outbound connector to GoDaddy/Proofpoint
- Update SPF to allow Microsoft 365 to send mail ("v=spf1 include:spf.protection.outlook.com -all")
- Mail will now flow directly through Exchange Online
- Review and update domain DNS management:
- Optional: Update SharePoint domain for better branding. e.g. https://netorg12847914.sharepoint.com/ -- https://yourcompany.sharepoint.com/
Critical Warnings and Best Practices
- Ensure all users have their new passwords before proceeding with defederation.
- The defederation script will affect ALL domains in the tenant. Verify this is your intention before running.
- Email authentication is critical for deliverability and security:
- Incorrect SPF records can cause email delivery issues
- Missing DKIM and DMARC makes your domain vulnerable to spoofing
- Take inventory of all services that send email on behalf of your domain
- Test DNS changes in a tool like MXToolbox before applying
- When resetting passwords, ensure your CSV file has headers for UserPrincipalName and Password.
- While you can add a new CSP before defederation, verify new licenses are properly assigned before removing old ones to avoid service interruption.
- Once GoDaddy is removed as delegated admin, this action cannot be easily undone.
- User logins won't work without password resets after defederation.
Follow-Up
If you've encountered this issue and followed the steps outlined in this article, we'd love to hear from you. Please leave a comment below to share whether this solution helped resolve the problem. Additionally, if you found a different method that worked, we encourage you to share that as well. Your feedback is invaluable in helping us and others who may face similar issues.
Need Expert Assistance?
If you're still facing issues or would like personalized guidance, we're here to help. Check out our dedicated support plans at IT Solver Support Plans for expert assistance tailored to your needs.
Comments
0 comments
Please sign in to leave a comment.