Table of Contents
The Microsoft 365 Admin Center Makes It Easy to Remove Domains
I’ve been cleaning up the set of accepted domains configured for my Microsoft 365 tenant. After we launched the Office 365 for IT Pros eBook, I acquired several domains like Office365ExchangeBook.com that seemed to be relevant to the book. Years later and the office365itpros.com domain persists with a large legacy of published articles and scripts. No real advantage has been gained from the other domains, so the decision was taken to drop the unwanted domains and remove them from Microsoft 365.
Removing a domain is easier than adding a domain. Go to the Domains section (under Settings), select the unwanted domain, and select Remove domain from the menu. This method works for vanity domains (the type that you pay domain registrars to own) but not for fallback or service domains used for MOERA addresses.
When you use the Microsoft 365 admin center to remove a domain, the portal thoughtfully shows the mail-enabled objects that will be affected by the removal (Figure 1). You can then remove any proxy addresses assigned to the highlighted objects that use the domains.
The Problem of PowerShell
But sometimes you might remove a domain with the Remove-AcceptedDomain cmdlet and so lose the benefit of the checks performed by the Microsoft 365 admin center. This is fair enough because if you make changes to a tenant configuration through PowerShell, you should understand the consequences of the action. I wish I did…
If you forget to adjust email addresses for objects affected by the domain removal, you’ll see errors like this when attempting to update an address:
Set-UnifiedGroup -Identity c38ef1e1-1957-4e5f-bcde-1eae7bb234f3 -PrimarySmtpAddress 'Soccer.Fans@office365itpros.com' Set-UnifiedGroup: ||You can't use the domain Office365ExchangeBook.com because it's not an accepted domain for your organization.
Quite reasonably, the cmdlet complains that it can’t update the primary SMTP address for the Microsoft 365 group because it’s detected an invalid entry in the set of proxy addresses. To correct the issue, we need to find all the mail-enabled objects that has primary or proxy addresses that use the removed domain and remove or replace the offending addresses.
The PowerShell Solution
You can download the script I used from the Office 365 for IT Pros GitHub repository. Essentially, the script breaks down into three parts. First, the script retrieves the current set of accepted domains and identifies the default domain:
[array]$Domains = Get-AcceptedDomain
$PrimaryDomain = $Domains | Where-Object { $_.Default -eq $true } | Select-Object -ExpandProperty DomainName
[array]$Domains = $Domains | Select-Object -ExpandProperty DomainName
Second, the script checks mailboxes, Microsoft 365 groups, distribution groups, and dynamic distribution groups to find instances where proxy addresses don’t belong to an accepted domain. The details of the affected objects are recorded in a list. Here’s how the script deals with mailboxes:
Write-Host "Checking mailboxes..."
[array]$Mailboxes = Get-ExoMailbox -ResultSize Unlimited -RecipientTypeDetails UserMailbox, SharedMailbox, RoomMailbox, EquipmentMailbox, discoveryMailbox
ForEach ($Mailbox in $Mailboxes) {
$ExternalAddresses = $Mailbox.EmailAddresses | Where-Object { $_ -like "SMTP:*" -and ($_.Split(':')[1].Split('@')[1] -notin $Domains) }
If ($ExternalAddresses) {
$ReportLine = [PSCustomObject][Ordered]@{
DisplayName = $Mailbox.DisplayName
PrimarySmtpAddress = $Mailbox.PrimarySmtpAddress
EmailAddresses = $ExternalAddresses -join ", "
Type = "mailbox"
Identity = $Mailbox.Alias
}
$Report.Add($ReportLine)
}
}
Finally, each of the objects found by checking proxy addresses against accepted domains is processed to remove any bad proxy addresses and assign new primary SMTP addresses where necessary.
Not Perfect Code
I don’t pretend that this script is perfect code. All I can say is that it did the job for me and cleaned up primary and proxy addresses for my tenant and might therefore be useful to others in the same situation. What this experience goes to prove is that sometimes executing clean-up operations is better done through the GUI where you can take advantage of the work done by engineers to anticipate what needs to be done after adjustments are made to a tenant.
Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.
Hi Tony,
Thanks for this article.
I would love to be able to remove a domain from a tenant when there are some domain dependencies left. We often migrate tenants of acquired companies into our tenant and move the domain(s) from those tenants in to our tenant on migration day. We have a range of scripts that converts primary email and upn to ‘@onmicrosoft’ and remove the remaining aliasses. What mostly gets stuck is user objects that once had an exchange license that got removed later. Then it’s not possible to remove the aliasses and a ‘stuck’ IM address that stays on the domain for ever unless you re-add a licence, wait for the mailbox to be provisioned. Then remove the domain traces and remove the license again. (or delete these kind of user objects entirely, but that is the last resort since we want to keep the old tenant intact for a while after migration in case we missed something.
So I’m wondering how you are able to remove the domain without the checks performed by the M365 admin center. I think Remove-AcceptedDomain is an onprem only command. And remove-mgdomain will fail when there is still a dependency left, similar as the M365 admin center.
I removed the domains from the Microsoft 365 admin center… I guess I never encountered some of the objects that you mention.
In the past when I tried to remove the domain, if the domain is part of any object in the tenant it does not allow me to remove the domain in first place. Isnt it same anymore ?
And in the script i see you are checking for “SMTP” , primary email address, what if the domain you are trying to remove is part of secondary or SIP address, dont you want to remove them as well ?
The script does remove secondary addresses… there’s only a specific check for the primary SMTP address because if one exists for a removed domain, the primary address must be recreated using the default domain.
As to removing the domain when objects exist, I was obviously able to do that because I got myself into a situation where objects with unworkable addresses existed and had to fix them. I really didn’t focus too much on how I was able to remove domains… just on fixing the problem.