Is it possible to remove extra '.onmicrosoft.com' domains from Azure AD

Question

Is it possible to remove extra '.onmicrosoft.com' domains from Azure AD

Timothy Dirks 21

I am trying to remove a few extra '.onmicrosoft.com' domains I added to my Azure AD for testing

Steps taken so far:

Removed all dependancies on domain in Azure AD
Attempted to remove domain under 'Custom domain names' section of the Azure AD on azure portal. Resulted in "Unable to delete domain name '****.onmicrosft.com' from ****.com"
Used used 'Remove-MsolDomain' command in powershell.
Resulted in:

Remove-MsolDomain : Unknown error occurred.
At line:1 char:1

Remove-MsolDomain -DomainName "****.onmicrosoft.com" - ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : OperationStopped: (:) [Remove-MsolDomain], MicrosoftOnlineException
FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DomainCapabilityUnsetException,Microsoft.Onli
ne.Administration.Automation.RemoveDomain

Note: This is NOT the default '.onmicrosoft.com' domain that was created when tenant was created.

Answer 1

@Timothy Dirks ,

As I understand your query , you seem to be trying to remove extra *.onmicrosoft.com' domain names from your Azure AD tenant . You have also mentioned that you the domain you are trying to remove is not the same domain that was created when tenant was created. The domain name that is created while we create a new tenant has type initial added to it as shown below.

The .onmicrosoft.com name is the initial name that is provided to a tenant whenever it is created. The .onmicrosoft.com namespace is Microsoft-owned service namespace for Azure AD service . Its not possible to have two verified .onmicrosoft.com domain names associated with a single azure AD tenant by design . If there were multiple .onmicrosoft.com domains in your Azure AD tenant; by design, only one would be verified domain that you would be able to use with users or groups while others would just be unverified domains which could be removed easily with the cmdlet Remove-AzureADdomain or Remove-MSolDomain.

I tried to see if multiple .onmicrosoft.com domain could be added . Whenever I add a new .onmicrosoft.com domain like abc.onmicrosoft.com to my azure AD tenant, the system asks me to verify the same. In order to verify that I will require access to the onmicrosoft.com DNS zone which no one has access to except Microsoft Cloud Services hence the domain would never become a verified domain in my case as you can see below.

For testing, I tried removing the initial domain xxxxxx13.onmicrosoft.com and got the following error.

PS C:\> Remove-MsolDomain -DomainName xxxxxxx13.onmicrosoft.com  
Remove-MsolDomain : You cannot remove the initial domain created for you in Office 365.  
At line:1 char:1  
+ Remove-MsolDomain -DomainName MSDx756613.onmicrosoft.com  
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
    + CategoryInfo          : OperationStopped: (:) [Remove-MsolDomain], MicrosoftOnlineException  
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.InitialDomainDeletionException,Microsoft.Online.Administration.Automation.RemoveDomain

Then I tried removing other domains and I was successful without any issue as they were unverified domains.

PS C:\> Get-MsolDomain  
  
Name                            Status     Authentication  
----                            ------     --------------  
xxxxxxx13.onmicrosoft.com      Verified   Managed         
xxxxxxx13.mail.onmicrosoft.com Verified   Managed         
abcd.org                       Verified   Managed         
abc.onmicrosoft.com             Unverified Managed         
rd.onmicrosoft.com              Unverified Managed         
  
  
PS C:\> Remove-MsolDomain -DomainName abc.onmicrosoft.com  
  
PS C:\> Get-MsolDomain  
  
Name                            Status     Authentication  
----                            ------     --------------  
xxxxxxx13.onmicrosoft.com      Verified   Managed         
xxxxxxx13.mail.onmicrosoft.com Verified   Managed         
abcd.org                       Verified   Managed         
rd.onmicrosoft.com              Unverified Managed

In this case I added multiple .onmicrosoft.com domains and removed them using the PowerShell cmdlets Remove-MsolDomain and it worked without any issue. Ideally if you have multiple verified .onmicrosoft.com domains in your azure AD tenant , it can be some bug and we can help you further if you can provide more information on this. I hope the information provided clarifies how custom domains related to .onmicrosoft.com domains associated with a azure AD tenant . If the information is not helpful , please check if the domains you are trying to remove are verified or not. If they are verified , please let us know and we will continue to help you . Should the information in this thread help you , please do accept this post as answer which will help other members of the community and improve the relevancy of this thread.

Thank you .

----------------------------------------------------------------------------------------------------------------------------------------------------------

Please don't forget to click on whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how
Want a reminder to come back and check responses? Here is how to subscribe to a notification
If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators

Timothy Dirks 21 Reputation points

2022-04-04T15:28:35.01+00:00

@ShashiShailaj-MSFT

Thank you for the reply. It seems that I left out some inportant information regarding adding additional .onmicrosoft.com domains in my first post.

As can be seen in the screenshot posted above, I have 3 verrified .onmicrosoft.com domains.

Steps to add verified .onmicrosoft.com domains

Navigate to 'https://admin.microsoft.com/#/Domains'

Click on primary '.onmicrosoft.com' domain

Click on the 'Add onmicrosoft.com domain' hyper link highlighed in the screenshot below

I have rerun all the commands you used above and posted the results below.
ShashiShailaj-MSFT 7,466 Reputation points Microsoft Employee

2022-04-05T10:13:11.857+00:00

@Timothy Dirks · Thank you for providing the details. I have never used this option to create fallback domain . I am sorry to have missed this part . Its amazing to learn something new everyday despite working on same technology for quite some time. :) . I apologize for the oversight . It seems in your case your tenant that you are using is from some Office365 reseller mail service like GoDaddy etc. the NETORG prefix is given to tenants that are created through GoDaddy or other office 365 mail resellers . As far as I know there are certain restriction with them and they do not provide same feature parity as general Office 365 subscriptions because anyone signing up for office 365 from services like godaddy .

However this is an interesting scenario where we are able to add the fallback domain but not able to delete the same. I added a fallback domain by using the instructions that you shared by going to https://admin.microsoft.com/#/Domains/Details/. And I am unable to delete the fallback domains created later as well . I am getting the same error as you . I have reached out for help internally and will update you as soon as I find anything new.

Thank you.
Timothy Dirks 21 Reputation points

2022-04-05T18:54:46.77+00:00

Thank you for your reply. You are correct, this tenent did start out an GoDaddy 365 account. I was able to take total control of the tenant using the instructions provided here defederating-godaddy-365. The restrictions you mentioned are why I am trying to remove these domains in the first palce. I plan on starting out with a fresh tenant but I need one of the .onmicrosoft.com domains attached this current tenent.

I look forward to your reply regarding your internal investigation.

Thank you,

Edit: Spelling and grammar
ShashiShailaj-MSFT 7,466 Reputation points Microsoft Employee

2022-04-12T11:26:35.213+00:00

@Timothy Dirks , apologies for the delay on this . I am yet to get an update on this from the backend team . AS soon I have anything , I will update the same with you.
Timothy Dirks 21 Reputation points

2022-05-30T22:18:16.267+00:00

Any update on this? It's been well over a month...

Answer 2

Dionis Vozian 1

i'm facing the same issue.

Answer 3

Will Christopher 1

I'm having the same issue. Has anyone figured it out, yet?

Timothy Dirks 21 Reputation points

2022-05-30T22:17:47.2+00:00

Nope, the Microsoft devs stopped responding over a month ago...
Will Christopher 1 Reputation point

2022-05-30T22:30:21.783+00:00

So, what did you do? Did you just have to leave domain there on your tenant?
Timothy Dirks 21 Reputation points

2022-05-30T22:31:40.277+00:00

Yes, unfortunately.
Michael Sevarino 1 Reputation point

2022-06-06T02:54:45.407+00:00

I am trying to do the same thing right now with extraneous /microsoft domains, and one I want to use in a new tenant. I have removed onmicrosoft domains in the past, just a couple months ago. I no longer can either and get the same error you do.

Back in February or January I saw the documentation regarding the ability to change the fallback domain in MS365, the Intiial Domain in Azure AD and the Sharepoint Home URL address. Since it conflicted with other documentation saying it wasn't possible to do this, and assuming they just didn't update the conflicting documentation yet, since they didn't say anything about deleting the onmicrosoft domains or the initial domain, even though documentation said you couldn't delete the initial/fallback domain, I gave it a try after changing to the newly created onmicrosoft domain, and I was successful in deleting it from my tenant.
Michael Sevarino 1 Reputation point

2022-06-06T02:55:09.523+00:00

But, it broke my Exchange instance and my verified domains no longer showed up as Accepted domains in EXOnline. After a month of going back and forth with support, getting escalated four or five times, eventually ending up dealing with the US engineering team, they were able to restore my Exchange functionality when I re-added the sign-up/root onmicrosoft domain that I initially signed up with. They didn't seem to be able to know from their end that the initial onmicroosft domain I signed up with was ever a part of the tenant at all. Initially they said "well it looks like your initial domain was "x" and now it is the new one, and you deleted "x"" However, the domain they were referring to was never the initial domain of the tenant, although I had created it then deleted it. It was at this point I informed them about my actual original domain. If it hadn't already been five weeks or so, I would have continued to play dumb to see if they could remap the o365/AAD component with Exchange, thus kind of backdooring a way to delete the original initial domain, but I couldn't wait any longer. I had changed the intial and fallback domains twice as I was playing with the new feature, so perhaps they only were able to see the domain from which it had been most recently changed, but not a comprehensive change log.
Michael Sevarino 1 Reputation point

2022-06-06T02:55:25.66+00:00
So it looks like at a minimum, the sign-up/root intitial/fallback domain serves as a link between AAD and EXOnline, and possibly any domain that has ever had this role. It seems however that they either can't determine which domains were previouisly intiial/fallback domains, or instead of scoping tenant global admin permissions to only be able to delete onmicorosft domains that had previously been fallbackintiial domains, or possibly, just the original/root fallback/intiial domain, they just made it so that we can't delete any of those domains. It seems my expermient exposed the need to limit this functionality.

I am also going to open a ticket to try and have them delete those domains. I think a couple workaround I might suggest are:

remove the limit of 5 onmicrosoft domains as a short term solution if you've hit that, because this is one reason I want to delete an onmicrosoft domain right now, to add another to my current tenant.

make it possible to change the onmicrosoft domain to a federated domain from a standard domain, and then it can serve both the mapping/connection function for EXOn;ine and AAD in the current tenant, and serve as a standard domain in the new tenant, if the goal is to create a new tenant with an onmicroft domain that is assigned to a tenant you already control. I think this is your situation, and I am also trying to do this.
Michael Sevarino 1 Reputation point

2022-06-06T03:54:38.757+00:00

Appologies for thei multi message response. But I just ran Get-OrganizationConfig in ExOnline Powershell and from what I can see, the only domain that can't be removed without some serious remapping on the backend is the fomain that was used at the time of Tenant creation. My original creation onmicrosoft domain is still part of several attributes in my EXOnline tenant.

Here is a complete list of tenant ttributes where I see the creator onmicroft domain with Get-OrganizationConfig:

OrganizationId
Name
Identity
Microsoft Exchange Recipient Email Addresses
MicrosoftExchangeRecipientEmailAddressPolicyEnabaled
MicrosoftExchangeRecipientPrimarySmtpaddress
ElevatedAccessControl
DistinguishedName
OrganizationalUnitRoot

None of these attributes updated to the fallback/initial domain I am using now. However, there is no trace of either of the two onmicrosoft domains that I used previously that were not the original domain. In this test case I have changed the intiial/fallback domain three times and am on my fourth domain.

I hope this information can get us somewhere.

It would seem to me that if those attributes in Exoonline were renamed, then removal of all the domains should be possible. The only catch might be that there is an attribute called OrganizationHash, which would probably have to be rehashed if the Organization name was changed on the backend of the EXOnline instance.

Answer 4

Hi all,

I'm facing the same issue.

I created two sub-domains on my default "onmicrosoft.com" address: User's image

Even the sub-domains aren't set as "Primary", I'm not able to delete one of them:

User's image

"subsub.xxx.onmicrosoft.com" is a custom domain with state: "Verified" but not the "Primary" domain:

User's image

Also deleting this Domain my Power-Shell with: Remove-AzureADDomain -Name subsub.AxxxxxxxxxxxA1.onmicrosoft.com was not possible.

What am I doing wrong?

Is this a Azure-Bug?

How to proceed here?

Answer 5

According to the Microsoft Learn article Add and replace your onmicrosoft.com fallback domain in Microsoft 365 one cannot delete the extra domains once they are created (but I'm guessing if one contacts MS Support they can help);

Is it possible to remove extra '.onmicrosoft.com' domains from Azure AD

5 answers

Note

You are limited a total of five onmicrosoft.com domains in your Microsoft 365 environment. Once they are added, they cannot be removed.

Activity