Recently I had an interesting experience and challenge, removing a domain from an Azure AD (Office 365) Tenant which had been around for years, switching all the users to another domain for logins/UPN.
A normal procedure for this should be simple:
- Change UPN for all users and groups
- Change any associated apps, email, and other resources
- Remove Domain (This can be done from Azure Portal, or from Office 365 Admin).
The issue for me was that there was resources associated with some users, which I could not find what recourses or how to clear it up.
In Azure Portal, Azure AD, Custom Domains - it would not let me delete at all, just showed me a link to the list of users in violation.
In office 365 Admin, Settings, Domains - I was able to initiate a Delete action, once, with a supposed automatic removal action. After several hours this failed, and it now remained in a failed state that did not let me try again from UI.
So I started digging with PowerShell - I found it most usable with the MSOL module/commands, as opposed to the Azure AD ones.
List users which are "offenders": Get-MsolUser -DomainName mydomain.com
In my case, none of them have a UPN on that domain, they had all been changed.
Look at details of a user: Get-MsolUser -UserPrincipalName user@myotherdomain.com
After some digging I found the only difference between an offending/blocking user and a "good" one was the existence of ProxyAddresses (formatted as SMTP:user@mydomain.com)
I opened a ticket with Microsoft, to try figure out why these users had proxy addresses defined on that domain, and after a few hours the answer was they did not know.
My guess is that since this tenant have been around with various mixed use from 2014 till 2021, things have "stamped" a proxy address that did not get removed when services or user objects changed in some way.
Anyhow - long story short - the way to fix it is to (soft) delete the users, then remove the domain, then restore the users with a flag to fix the proxy addresses.
Here is what i did:
- Check your soft deleted user list - in my case i had 0, so all th below was easy, if you have some you need to adjust the below Restore command to only include the users you want to restore.
To check what is in the soft delete list: Get-MsolUser -ReturnDeletedUsers - Verify the user list to remove is correct: Get-MsolUser -DomainName mydomain.com
- Delete Users: Get-MsolUser -DomainName mydomain.com | Remove-MsolUser
You will have to click Y as many times as there are users, if you have a lot perhaps look for a dash-yes option or similar. - Verify you have the soft deleted users: Get-MsolUser -ReturnDeletedUsers
- Delete your domain: Remove-MsolDomain -DomainName mydomain.com -Force
- Restore your users - this command will do the entire list of deleted accounts:
Get-MsolUser -ReturnDeletedUsers | Restore-MsolUser -AutoReconcileProxyConflicts
Comments
Post a Comment