Skip to main content

Removing Domain - Office 365 / Azure AD Tenant

Recently I had an interesting experience and challenge, removing a domain from an Azure AD (Office 365) Tenant which had been around for years, switching all the users to another domain for logins/UPN.

A normal procedure for this should be simple:

  1. Change UPN for all users and groups
  2. Change any associated apps, email, and other resources
  3. Remove Domain (This can be done from Azure Portal, or from Office 365 Admin).
The issue for me was that there was resources associated with some users, which I could not find what recourses or how to clear it up.
In Azure Portal, Azure AD, Custom Domains - it would not let me delete at all, just showed me a link to the list of users in violation.

In office 365 Admin, Settings, Domains - I was able to initiate a Delete action, once, with a supposed automatic removal action. After several hours this failed, and it now remained in a failed state that did not let me try again from UI.

So I started digging with PowerShell - I found it most usable with the MSOL module/commands, as opposed to the Azure AD ones. 
List users which are "offenders":  Get-MsolUser -DomainName
In my case, none of them have a UPN on that domain, they had all been changed.
Look at details of a user: Get-MsolUser -UserPrincipalName

After some digging I found the only difference between an offending/blocking user and a "good" one was the existence of ProxyAddresses (formatted as
I opened a ticket with Microsoft, to try figure out why these users had proxy addresses defined on that domain, and after a few hours the answer was they did not know.
My guess is that since this tenant have been around with various mixed use from 2014 till 2021, things have "stamped" a proxy address that did not get removed when services or user objects changed in some way.

Anyhow - long story short - the way to fix it is to (soft) delete the users, then remove the domain, then restore the users with a flag to fix the proxy addresses.

Here is what i did:
  1. Check your soft deleted user list - in my case i had 0, so all th below was easy, if you have some you need to adjust the below Restore command to only include the users you want to restore.
    To check what is in the soft delete list:  Get-MsolUser -ReturnDeletedUsers
  2. Verify the user list to remove  is correct:  Get-MsolUser -DomainName
  3. Delete Users: Get-MsolUser -DomainName | Remove-MsolUser
    You will have to click Y as many times as there are users, if you have a lot perhaps look for a dash-yes option or similar.
  4. Verify you have the soft deleted users: Get-MsolUser -ReturnDeletedUsers
  5. Delete your domain: Remove-MsolDomain -DomainName -Force
  6. Restore your users - this command will do the entire list of deleted accounts:
    Get-MsolUser -ReturnDeletedUsers | Restore-MsolUser -AutoReconcileProxyConflicts


Popular posts from this blog

Cisco UCS Mini - Add Extender Chassis

If you happen to own a UCS Mini Setup, a 5108 Chassis with two Fi 6324 or similar, and you are looking for documentation on how to add another 5108 Chassis with fabric extenders (2204XP in my case), then Cisco really does not have much out there, nor is there a lot of googlable information either (Everything you find is related to standalone Fabric Interconnects and "standard" UCS). Even after calling TAC, it took a while to get something, and what they told us was not even accurate. So here is how we did it, and it worked, came up without any interruption to current chassis, network, or running profiles. Equipment Of course we used our Cisco vendor to spec the equipment, but just for reference here is the list of what we had and what we added: Original Setup 5108 Chassis  Fi 6324 (Qty 2) Ports 1-2 for Fibre Channel, and 3-4 for Ethernet (MMF) Connected to a stack of switches and pair of FC switches/SAN Running UCS version 4.0.1 (Fairly recently upgraded as of M

Linux/Unix - Create a local Certificate Authority (CA)

I get these questions all the time - people know i have some runtime with certificates and such - one question is "Can't i just issue my own certs?" - and the answer of course is yes - but I always make sure to add that it won't be any use on a public web site since no-one will trust it. So setting up your own CA is not "generally useful", it is more if you need some specific things, like issuing certificates with a single signing source for client logins or similar. Most business will have a  couple of Windows Domain controllers, if you need to sign certs for a limited set of users, what you should do is make sure some system in your windows domain runs Certificate Services, then issue certs from there, make sure any non-domain-members has a trust for that CA. If you actually do need to set up you own CA, here is one way to do it Procedure to set up your own local CA The common name for the CA cert must NOT be the same as a domain name or anything e