Skip to main content

Removing Domain - Office 365 / Azure AD Tenant

Recently I had an interesting experience and challenge, removing a domain from an Azure AD (Office 365) Tenant which had been around for years, switching all the users to another domain for logins/UPN.

A normal procedure for this should be simple:

  1. Change UPN for all users and groups
  2. Change any associated apps, email, and other resources
  3. Remove Domain (This can be done from Azure Portal, or from Office 365 Admin).
The issue for me was that there was resources associated with some users, which I could not find what recourses or how to clear it up.
In Azure Portal, Azure AD, Custom Domains - it would not let me delete at all, just showed me a link to the list of users in violation.

In office 365 Admin, Settings, Domains - I was able to initiate a Delete action, once, with a supposed automatic removal action. After several hours this failed, and it now remained in a failed state that did not let me try again from UI.

So I started digging with PowerShell - I found it most usable with the MSOL module/commands, as opposed to the Azure AD ones. 
List users which are "offenders":  Get-MsolUser -DomainName mydomain.com
In my case, none of them have a UPN on that domain, they had all been changed.
Look at details of a user: Get-MsolUser -UserPrincipalName user@myotherdomain.com

After some digging I found the only difference between an offending/blocking user and a "good" one was the existence of ProxyAddresses (formatted as SMTP:user@mydomain.com)
I opened a ticket with Microsoft, to try figure out why these users had proxy addresses defined on that domain, and after a few hours the answer was they did not know.
My guess is that since this tenant have been around with various mixed use from 2014 till 2021, things have "stamped" a proxy address that did not get removed when services or user objects changed in some way.

Anyhow - long story short - the way to fix it is to (soft) delete the users, then remove the domain, then restore the users with a flag to fix the proxy addresses.

Here is what i did:
  1. Check your soft deleted user list - in my case i had 0, so all th below was easy, if you have some you need to adjust the below Restore command to only include the users you want to restore.
    To check what is in the soft delete list:  Get-MsolUser -ReturnDeletedUsers
  2. Verify the user list to remove  is correct:  Get-MsolUser -DomainName mydomain.com
  3. Delete Users: Get-MsolUser -DomainName mydomain.com | Remove-MsolUser
    You will have to click Y as many times as there are users, if you have a lot perhaps look for a dash-yes option or similar.
  4. Verify you have the soft deleted users: Get-MsolUser -ReturnDeletedUsers
  5. Delete your domain: Remove-MsolDomain -DomainName mydomain.com -Force
  6. Restore your users - this command will do the entire list of deleted accounts:
    Get-MsolUser -ReturnDeletedUsers | Restore-MsolUser -AutoReconcileProxyConflicts
 

Comments

Popular posts from this blog

Cisco UCS Mini - Add Extender Chassis

If you happen to own a UCS Mini Setup, a 5108 Chassis with two Fi 6324 or similar, and you are looking for documentation on how to add another 5108 Chassis with fabric extenders (2204XP in my case), then Cisco really does not have much out there, nor is there a lot of googlable information either (Everything you find is related to standalone Fabric Interconnects and "standard" UCS). Even after calling TAC, it took a while to get something, and what they told us was not even accurate. So here is how we did it, and it worked, came up without any interruption to current chassis, network, or running profiles. Equipment Of course we used our Cisco vendor to spec the equipment, but just for reference here is the list of what we had and what we added: Original Setup 5108 Chassis  Fi 6324 (Qty 2) Ports 1-2 for Fibre Channel, and 3-4 for Ethernet (MMF) Connected to a stack of switches and pair of FC switches/SAN Running UCS version 4.0.1 (Fairly recently upgraded as of M

Linux/Unix - Create a local Certificate Authority (CA)

I get these questions all the time - people know i have some runtime with certificates and such - one question is "Can't i just issue my own certs?" - and the answer of course is yes - but I always make sure to add that it won't be any use on a public web site since no-one will trust it. So setting up your own CA is not "generally useful", it is more if you need some specific things, like issuing certificates with a single signing source for client logins or similar. Most business will have a  couple of Windows Domain controllers, if you need to sign certs for a limited set of users, what you should do is make sure some system in your windows domain runs Certificate Services, then issue certs from there, make sure any non-domain-members has a trust for that CA. If you actually do need to set up you own CA, here is one way to do it Procedure to set up your own local CA The common name for the CA cert must NOT be the same as a domain name or anything e

Active Directory Account Lockout - Narrowing Down the source

If you are in a all-windows shop where everything is nice and neat, everybody has a proper domain membership and all authentication is SSO or Windows Integrated, then you probably do not have much of a problem with repeated account lockouts. On the other hand, if you are in a mixed environment, lots of :Linux, Mac, and unmanaged Wintendo, then you probably run into some users that manage to Lock themselves out frequently - typically for several days in a row after the account password had been changed. Reasons can be plenty fold - typically saved credentials somewhere, like a git client, sql-server client, email client, rdp-manager, smbfs-automount, or anything that tries a bunch of logins when you start it up, or keeps trying in the background. As a sysadmin, you don't have time to narrow it down for the end user - but they will be adamant it is not their fault, so you probably need to prove that "Yes it is" - so I use powershell to grab 4740 events from Domain Con