Is it possible to remove extra '.onmicrosoft.com' domains from Azure AD

Question

question

TimothyDirks-1589 asked Apr 3, '22 MichaelSevarino-1424 commented Jun 6, '22

Is it possible to remove extra '.onmicrosoft.com' domains from Azure AD

I am trying to remove a few extra '.onmicrosoft.com' domains I added to my Azure AD for testing

Steps taken so far:
1. Removed all dependancies on domain in Azure AD
2. Attempted to remove domain under 'Custom domain names' section of the Azure AD on azure portal. Resulted in "Unable to delete domain name '.onmicrosft.com' from .com"
3. Used used 'Remove-MsolDomain' command in powershell.
Resulted in:

Remove-MsolDomain : Unknown error occurred.
At line:1 char:1
+ Remove-MsolDomain -DomainName ".onmicrosoft.com" - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Remove-MsolDomain], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DomainCapabilityUnsetException,Microsoft.Onli
ne.Administration.Automation.RemoveDomain

Note: This is NOT the default '.onmicrosoft.com' domain that was created when tenant was created.

azure-active-directory azure-ad-domain-services

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2022-04-04T14:39:34.08Z

shashishailaj answered Apr 4, '22 TimothyDirks-1589 commented May 30, '22

@TimothyDirks-1589 ,

As I understand your query , you seem to be trying to remove extra *.onmicrosoft.com' domain names from your Azure AD tenant . You have also mentioned that you the domain you are trying to remove is not the same domain that was created when tenant was created. The domain name that is created while we create a new tenant has type initial added to it as shown below.

The .onmicrosoft.com name is the initial name that is provided to a tenant whenever it is created. The .onmicrosoft.com namespace is Microsoft-owned service namespace for Azure AD service . Its not possible to have two verified .onmicrosoft.com domain names associated with a single azure AD tenant by design . If there were multiple .onmicrosoft.com domains in your Azure AD tenant; by design, only one would be verified domain that you would be able to use with users or groups while others would just be unverified domains which could be removed easily with the cmdlet Remove-AzureADdomain or Remove-MSolDomain.

I tried to see if multiple .onmicrosoft.com domain could be added . Whenever I add a new .onmicrosoft.com domain like abc.onmicrosoft.com to my azure AD tenant, the system asks me to verify the same. In order to verify that I will require access to the onmicrosoft.com DNS zone which no one has access to except Microsoft Cloud Services hence the domain would never become a verified domain in my case as you can see below.

For testing, I tried removing the initial domain xxxxxx13.onmicrosoft.com and got the following error.

 PS C:\> Remove-MsolDomain -DomainName xxxxxxx13.onmicrosoft.com
 Remove-MsolDomain : You cannot remove the initial domain created for you in Office 365.
 At line:1 char:1
 + Remove-MsolDomain -DomainName MSDx756613.onmicrosoft.com
 + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : OperationStopped: (:) [Remove-MsolDomain], MicrosoftOnlineException
     + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InitialDomainDeletionException,Microsoft.Online.Administration.Automation.RemoveDomain

Then I tried removing other domains and I was successful without any issue as they were unverified domains.

 PS C:\> Get-MsolDomain
    
 Name                            Status     Authentication
 ----                            ------     --------------
 xxxxxxx13.onmicrosoft.com      Verified   Managed       
 xxxxxxx13.mail.onmicrosoft.com Verified   Managed       
 abcd.org                       Verified   Managed       
 abc.onmicrosoft.com             Unverified Managed       
 rd.onmicrosoft.com              Unverified Managed       
    
    
 PS C:\> Remove-MsolDomain -DomainName abc.onmicrosoft.com
    
 PS C:\> Get-MsolDomain
    
 Name                            Status     Authentication
 ----                            ------     --------------
 xxxxxxx13.onmicrosoft.com      Verified   Managed       
 xxxxxxx13.mail.onmicrosoft.com Verified   Managed       
 abcd.org                       Verified   Managed       
 rd.onmicrosoft.com              Unverified Managed

In this case I added multiple .onmicrosoft.com domains and removed them using the PowerShell cmdlets Remove-MsolDomain and it worked without any issue. Ideally if you have multiple verified .onmicrosoft.com domains in your azure AD tenant , it can be some bug and we can help you further if you can provide more information on this. I hope the information provided clarifies how custom domains related to .onmicrosoft.com domains associated with a azure AD tenant . If the information is not helpful , please check if the domains you are trying to remove are verified or not. If they are verified , please let us know and we will continue to help you . Should the information in this thread help you , please do accept this post as answer which will help other members of the community and improve the relevancy of this thread.

Thank you .

Please don't forget to click on whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
Want a reminder to come back and check responses? Here is how to subscribe to a notification
If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators

image.png (19.5 KiB)

image.png (16.3 KiB)

· 5

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TimothyDirks-1589 · Apr 04 at 03:28 PM

@shashishailaj

Thank you for the reply. It seems that I left out some inportant information regarding adding additional .onmicrosoft.com domains in my first post.

As can be seen in the screenshot posted above, I have 3 verrified .onmicrosoft.com domains.

Steps to add verified .onmicrosoft.com domains
1. Navigate to 'https://admin.microsoft.com/#/Domains'
2. Click on primary '.onmicrosoft.com' domain

3. Click on the 'Add onmicrosoft.com domain' hyper link highlighed in the screenshot below

I have rerun all the commands you used above and posted the results below.

1 ·

image.png (10.7 KiB)

image.png (23.9 KiB)

image.png (40.9 KiB)

image.png (69.4 KiB)

shashishailaj TimothyDirks-1589 · Apr 05 at 10:13 AM

@TimothyDirks-1589 · Thank you for providing the details. I have never used this option to create fallback domain . I am sorry to have missed this part . Its amazing to learn something new everyday despite working on same technology for quite some time. :) . I apologize for the oversight . It seems in your case your tenant that you are using is from some Office365 reseller mail service like GoDaddy etc. the NETORG prefix is given to tenants that are created through GoDaddy or other office 365 mail resellers . As far as I know there are certain restriction with them and they do not provide same feature parity as general Office 365 subscriptions because anyone signing up for office 365 from services like godaddy .

However this is an interesting scenario where we are able to add the fallback domain but not able to delete the same. I added a fallback domain by using the instructions that you shared by going to https://admin.microsoft.com/#/Domains/Details/. And I am unable to delete the fallback domains created later as well . I am getting the same error as you . I have reached out for help internally and will update you as soon as I find anything new.

Thank you.

0 ·

TimothyDirks-1589 · Apr 05 at 06:54 PM

Thank you for your reply. You are correct, this tenent did start out an GoDaddy 365 account. I was able to take total control of the tenant using the instructions provided here defederating-godaddy-365. The restrictions you mentioned are why I am trying to remove these domains in the first palce. I plan on starting out with a fresh tenant but I need one of the .onmicrosoft.com domains attached this current tenent.

I look forward to your reply regarding your internal investigation.

Thank you,

Edit: Spelling and grammar

1 ·

shashishailaj TimothyDirks-1589 · Apr 12 at 11:26 AM

@TimothyDirks-1589 , apologies for the delay on this . I am yet to get an update on this from the backend team . AS soon I have anything , I will update the same with you.

1 ·

TimothyDirks-1589 shashishailaj · May 30 at 10:18 PM

Any update on this? It's been well over a month...

0 ·

Answer 2 · 2022-04-19T02:43:05.607Z

DionisVozian-4938 answered Apr 19, '22

i'm facing the same issue.

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 3 · 2022-05-30T22:15:06.17Z

WillChristopher-777 answered May 30, '22 MichaelSevarino-1424 commented Jun 6, '22

I'm having the same issue. Has anyone figured it out, yet?

· 7

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TimothyDirks-1589 · May 30 at 10:17 PM

Nope, the Microsoft devs stopped responding over a month ago...

0 ·

WillChristopher-777 TimothyDirks-1589 · May 30 at 10:30 PM

So, what did you do? Did you just have to leave domain there on your tenant?

0 ·

TimothyDirks-1589 WillChristopher-777 · May 30 at 10:31 PM

Yes, unfortunately.

0 ·

Show more comments

question