Skip to main content

Removing Domain - Office 365 / Azure AD Tenant

Recently I had an interesting experience and challenge, removing a domain from an Azure AD (Office 365) Tenant which had been around for years, switching all the users to another domain for logins/UPN.

A normal procedure for this should be simple:

  1. Change UPN for all users and groups
  2. Change any associated apps, email, and other resources
  3. Remove Domain (This can be done from Azure Portal, or from Office 365 Admin).
The issue for me was that there was resources associated with some users, which I could not find what recourses or how to clear it up.
In Azure Portal, Azure AD, Custom Domains - it would not let me delete at all, just showed me a link to the list of users in violation.

In office 365 Admin, Settings, Domains - I was able to initiate a Delete action, once, with a supposed automatic removal action. After several hours this failed, and it now remained in a failed state that did not let me try again from UI.

So I started digging with PowerShell - I found it most usable with the MSOL module/commands, as opposed to the Azure AD ones. 
List users which are "offenders":  Get-MsolUser -DomainName mydomain.com
In my case, none of them have a UPN on that domain, they had all been changed.
Look at details of a user: Get-MsolUser -UserPrincipalName user@myotherdomain.com

After some digging I found the only difference between an offending/blocking user and a "good" one was the existence of ProxyAddresses (formatted as SMTP:user@mydomain.com)
I opened a ticket with Microsoft, to try figure out why these users had proxy addresses defined on that domain, and after a few hours the answer was they did not know.
My guess is that since this tenant have been around with various mixed use from 2014 till 2021, things have "stamped" a proxy address that did not get removed when services or user objects changed in some way.

Anyhow - long story short - the way to fix it is to (soft) delete the users, then remove the domain, then restore the users with a flag to fix the proxy addresses.

Here is what i did:
  1. Check your soft deleted user list - in my case i had 0, so all th below was easy, if you have some you need to adjust the below Restore command to only include the users you want to restore.
    To check what is in the soft delete list:  Get-MsolUser -ReturnDeletedUsers
  2. Verify the user list to remove  is correct:  Get-MsolUser -DomainName mydomain.com
  3. Delete Users: Get-MsolUser -DomainName mydomain.com | Remove-MsolUser
    You will have to click Y as many times as there are users, if you have a lot perhaps look for a dash-yes option or similar.
  4. Verify you have the soft deleted users: Get-MsolUser -ReturnDeletedUsers
  5. Delete your domain: Remove-MsolDomain -DomainName mydomain.com -Force
  6. Restore your users - this command will do the entire list of deleted accounts:
    Get-MsolUser -ReturnDeletedUsers | Restore-MsolUser -AutoReconcileProxyConflicts
 

Comments

Post a Comment

Popular posts from this blog

Campground Networking

I've travelled a couple years full time in an RV, working remotely. This can be a challenger, many campgrounds have poor Wi-Fi setups, and cell service is not always great (Do not plan on doing any work from the Grand Canyon National Park). Calling ahead and asking usually does not reveal accurate information, you are best off using campground reviews, search them for WIFI and read what people say.  The best network I have seen was at Eagles Landing RV Park in Holt, FL (Pan handle) http://eagleslandingrvpark.com/. Still not perfect. At poor sites, more than once did I offer my assistance in trying to configure and improve, but even the places which have no vendor maintain their system do not want any other hands on it. A couple of times I helped out anyway, default passwords on routers, so I upgraded their firmware, disabled 802.11b, and set a password so no-one else would mess with it. My RV network setup is not of a common type, you sort of have to be a bit of a network-guy to us...
1 comment
Read more

New Lines - Windows/Unix/Linux/MacOS - viM

If you deal with scripts and other text files and move between platforms you probably discovered this "issue". Only the founding developers can explain why they chose what they did - googling about will show you a couple of different explanations - whatever the reasons, here are the differences and how to convert. The formats The Characters in use (referenced in OS info below) LF Usually referred to as LF  or Line feed Ascii code decimal 10 Hex: A or 0xA Octal: 12 or O12 Typical Escaped character in many shells and languages: \n CR Usually referred to as CR or Carriage Return Ascii code decimal 13 Hex D or 0xD Typical Escaped character in many shells and languages:  \r Unix, Linux, and Modern MacOS - The POSIX standard Each Line ends with a single character:  LF Most programming languages will understand/interpret this format properly. Simple Windows programs, like the built in Notepad will not show this properly. Windows (and DOS) Each...
Post a Comment
Read more

Linux/Unix - Create a local Certificate Authority (CA)

I get these questions all the time - people know i have some runtime with certificates and such - one question is "Can't i just issue my own certs?" - and the answer of course is yes - but I always make sure to add that it won't be any use on a public web site since no-one will trust it. So setting up your own CA is not "generally useful", it is more if you need some specific things, like issuing certificates with a single signing source for client logins or similar. Most business will have a  couple of Windows Domain controllers, if you need to sign certs for a limited set of users, what you should do is make sure some system in your windows domain runs Certificate Services, then issue certs from there, make sure any non-domain-members has a trust for that CA. If you actually do need to set up you own CA, here is one way to do it Procedure to set up your own local CA The common name for the CA cert must NOT be the same as a domain name or anything e...
Post a Comment
Read more