Introduction
If your Microsoft 365 tenant was purchased through GoDaddy, your primary domain is often configured as federated and management is partially controlled through GoDaddy workflows.
This can block normal CSP onboarding, limit direct Microsoft administration, and complicate licensing changes.
This guide walks through a safe defederation workflow with minimal disruption.
What this process does
- Converts your federated domain authentication to managed in Microsoft 365.
- Lets you administer users/licenses directly in Microsoft portals.
- Enables moving to a CSP partner or buying directly from Microsoft.
- Preserves mailbox and tenant data when done correctly.
Before you start
Plan a maintenance window (after hours is best), then confirm:
- You have break-glass/admin access to the tenant.
- You can sign in to
portal.azure.com,entra.microsoft.com, andadmin.microsoft.com. - You have a password reset plan for all users.
- You know which licenses users currently have.
- You have DNS access for the domain (especially MX records).
Important: users will need updated credentials after defederation.
Step 1: Prepare users and comms
Send a short notice before the change:
- When the change will happen.
- That users may be prompted to sign in again in Outlook/Office/Teams.
- How they will receive temporary or reset passwords.
For Office app re-authentication, most users can use:
File -> Account -> Sign out -> Sign in
Step 2: Confirm true tenant admin access
Some GoDaddy tenants redirect admins away from normal Microsoft admin experiences.
Make sure you can use a real Entra/M365 admin account (often the original onmicrosoft.com admin identity), then test sign-in directly at:
https://entra.microsoft.comhttps://admin.microsoft.com
If needed, reset the admin password first and verify interactive login before touching federation settings.
Step 3: Defederate the domain (set authentication to Managed)
Open PowerShell as administrator and run:
Write-Host "Checking required Microsoft Graph module..."
$module = Get-Module -Name "Microsoft.Graph.Identity.DirectoryManagement" -ListAvailable
if ($null -eq $module) {
Install-Module -Name Microsoft.Graph.Identity.DirectoryManagement -Scope CurrentUser
}
Connect-MgGraph -Scopes "Directory.Read.All","Domain.Read.All","Domain.ReadWrite.All","Directory.AccessAsUser.All"
# Review domain authentication states
Get-MgDomain | Select-Object Id, AuthenticationType, IsDefault
# Example: replace with your actual federated domain
Update-MgDomain -DomainId "contoso.com" -Authentication Managed
# Verify result
Get-MgDomain | Select-Object Id, AuthenticationType, IsDefaultYou want each active domain involved in sign-in to report AuthenticationType as Managed.
Step 4: Reset user passwords
After defederation, reset user passwords so users can authenticate with managed credentials.
Single user example:
$passwordProfile = @{
Password = "TempP@ssw0rd!"
ForceChangePasswordNextSignIn = $true
}
Update-MgUser -UserId "user@contoso.com" -PasswordProfile $passwordProfileBulk reset (CSV approach):
- Prepare CSV columns:
UserPrincipalName,NewPassword - Loop through CSV and call
Update-MgUserper user - Set
ForceChangePasswordNextSignInas needed
Validate a few user sign-ins before moving to licensing changes.
Step 5: Add new licensing source (CSP or Microsoft direct)
Once defederated:
- Add your CSP partner relationship or purchase direct in Microsoft admin center.
- Provision equivalent licensing first (avoid gaps).
- Reassign licenses in bulk if SKU changes are planned.
If you are moving from one SKU to another, do a pilot group before bulk assignment.
Step 6: Review mail flow and DNS (critical)
Check whether your prior GoDaddy bundle used third-party email security (for example, Proofpoint-backed routing).
Before cancellation, confirm DNS is correct for your target state:
- MX records
- SPF include/update
- Autodiscover and related records as required
If old security-routing MX remains after cancelation, mail flow can fail.
Step 7: Remove GoDaddy delegated access
In Microsoft 365 admin center:
- Go to Partner relationships
- Locate GoDaddy relationship
- Remove delegated admin roles/permissions
Then in Entra admin center, review enterprise apps and remove partner-related app access that is no longer required (for example, legacy partner management apps).
Step 8: Cancel GoDaddy subscription
Only cancel once all of the following are true:
- Domain auth is managed
- Users can sign in with new credentials
- New licensing is active and assigned
- DNS/mail flow is validated
- GoDaddy delegated access is removed
Validation checklist
Run this quick verification:
Get-MgDomainshowsManaged- Test sign-in for admin + standard users
- Outlook and Teams re-auth works
- Mail send/receive passes both directions
- Licenses show correct source and assignment
Common issues
Users cannot sign in after change
- Password not reset or not communicated
- Old cached credentials in Office apps
- Conditional Access/MFA policy conflicts
Mail flow broken after cancellation
- Legacy MX/security records still in DNS
- Incomplete SPF/DKIM/DMARC adjustments
Missing admin control
- Partner delegated relationship still active
- Partner enterprise application still present
Conclusion
Defederating a GoDaddy-managed tenant is mostly a control-plane cleanup: switch auth to managed, reset credentials, move licensing, verify DNS/mail flow, and remove delegated access before cancellation.
Handled carefully, this can be completed without data loss and with minimal end-user downtime.