Migrating existing domains between two Office 365 tenants.

Hamza Hassoun
Dec 4, 2017 · 4 min read

Picking an Office 365 tenant name is a one-time opportunity, similarly to picking the Office 365 region that will host your Office 365 tenant. Neither the tenant name or the tenant region can be changed after they have been selected. However, in some cases, companies and organizations see the need to either change their tenant name or their region and are confronted with the inability to do so. The only possible course of action is to migrate all the existing Office 365 services to the new tenant.

If there is no need to retain the data in the old tenant, you can easily remove all users and your verified domains from the old tenant. However, when the intent is to move the domains to the new tenant while keeping all the data in the old tenant, removing all users from the old tenant is no longer an option. The methodology and scripts to be used in this particular scenario follow:

Warning : This will guide you through the process of moving domains between tenants. This guide only covers the Identity and Authentication components. Once the process is started, users will be unable to login to the old Office 365 tenant and Exchange Online mail flow will be interrupted. You will have to migrate all existing services (Exchange Online, SharePoint, Skype for Business, etc.) to the new tenant and move your existing licences.

Step 1 : Disable ADFS Federation

This step only applies to tenants with one or more domains using identity federation. You must revert all federated domains to managed domains.

You will first need to connect to your Office 365 tenant using the Powershell command Connect-MsolService . You can verify which domains in your tenant are Federated by running theGet-MsolDomain command.

Set the ADFS context to the name of your server. This is the actual FQDN of the ADFS server.

Set-MsolADFSContext -Computer ADFS_Server_FQDN

You can then convert each one of your federated domains to a managed domain. The user conversion can be skipped as it will not be required and will significantly decrease the amount of time required to run the command:

Convert-MsolDomainToStandard -DomainName labhh.com -SkipUserConversion:$true -PasswordFile C:\passwords.txt

If the command completes successfully, all your domains should be listed as Managed. At this point, users will no longer be able to login with their credentials if Password Synchronization is not enabled.

Step 2 : Disable Azure Active Directory Connect synchronization

Once all domains are Managed domains, it is time to disable the directory synchronization. You will need to run the following command using Powershell to turn it off:

Set-MsolDirSyncEnabled -EnableDirSync $false

You can then turn off the directory synchronization server or uninstall Azure AD Connect.

Step 3 : Change all UPNs to the .onmicrosoft.com domain

Once the identity synchronization is disabled, all your existing users should revert back to In Cloud users. If you log back in to the tenant, the “Status” column should have disappeared entirely. However, all attributes are left unchanged including UPNs and email addresses.

To remove your domain from the Office 365, you must make sure the domain is no longer used in any of your users’ attributes. Depending on how large your organization is, it might take a significant amount of time to clean up all users.

Start by changing all your users’ UPN to the .onmicrosoft.com domain by running the following script:

Get-MsolUser -All | foreach {Set-MsolUserPrincipalName -ObjectId $_.ObjectId -NewUserPrincipalName ($_.UserPrincipalName.Split(“@”)[0] + “@labhh.onmicrosoft.com”)}

If you have distribution groups, you will also need to update their primary SMTP address. Login to your Exchange Online Powershell and run the following commands:

Get-DistributionGroup -ResultSize Unlimited | ForEach {Set-DistributionGroup -Identity $_.Name -primarysmtpaddress ($_.primarysmtpaddress.Split(“@”)[0] + “@labhh.onmicrosoft.com”)}

Step 4 : Remove any dependency

Once all users have their UPN set to the .onmicrosoft.com domain, you will need to remove any email address using one of your domains. You will have to perform this cleanup on users, groups, and resources (room and equipment).

In order to find all users who have an email address matching the domain you are moving, run the following command. This will output the UPN of every user that has a dependency to the domain.

Get-MsolUser -DomainName labhh.com -all

Because we changed every user’s UPN, their primary SMTP addresses are now also on the .onmicrosoft.com domain. Therefore, all remaining addresses on the domain are secondary email addresses. You can remove all aliases from every user mailbox using this script:

$users =  Get-Mailbox -RecipientTypeDetails UserMailbox -ResultSize Unlimited | Where {$_.Emailaddresses.count -gt 1}
foreach ($user in $users) {
foreach ($email in $user.emailaddresses){
if ($email -ne "SMTP:"+$user.PrimarySmtpAddress){
Set-Mailbox -Identity $user.name -EmailAddresses @{Remove=$email}
Write-host $user.primarysmtpaddress "has been processed" $i"/"$users.count

You can then remove all aliases from every distribution group using the following script:

$groups =  Get-DistributionGroup -ResultSize Unlimited | Where {$_.Emailaddresses.count -gt 1}
foreach ($group in $groupss) {
foreach ($email in $group.emailaddresses){
if ($email -ne "SMTP:"+$group.PrimarySmtpAddress){
Set-DistributionGroup -Identity $group.name -EmailAddresses @{Remove=$email}
Write-host $group.primarysmtpaddress "has been processed" $i"/"$groups.count

Now that all dependencies have been removed, you can safely remove verified domains from your Office 365 tenant and add them to the new one.

Hamza Hassoun

Written by

IT and video game enthusiast. I work as a system engineer at Softchoice with #cloud, #azure and #data technologies

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade