Escape the Sandbox: The Complete GoDaddy M365 Defederation Guide

8 min. read

The Ticket: The GoDaddy Hostage Situation

Client finally outgrew their "Business in a Box" GoDaddy subscription. They want to implement proper Conditional Access policies, set up Intune, or just run a basic PowerShell script. But every time you try to log into the Azure portal, GoDaddy redirects you back to their Fisher-Price management dashboard. We need to rip this tenant away from GoDaddy, strip the reseller delegation, and take direct billing control without dropping a single email.

Pre-Flight Check

• Permissions: GoDaddy Account Owner access & M365 Global Admin.
• Tools: Microsoft Graph PowerShell (for the real fix), or just a lot of patience.
• Impact: High - All user passwords will be forcefully reset. You have a 7-day grace period to purchase direct Microsoft licenses before the client's mail flow goes dark.

The Solution If you want to do this the "official" way via GoDaddy support, you have to play their game. Follow these steps to bypass their Tier 1 runaround.

1. Prep the Interrogation Answers: GoDaddy support requires a specific set of legal acknowledgments before they will trigger the migration. Copy and paste this exact block into your chat ticket to skip the 45-minute Q&A script:

Plaintext

Reason for moving away from GoDaddy: Prefer Microsoft Hosted Tenant.
Customer understands add-ons will be deleted: Yes.
Does the customer want to migrate their Email Archiving? No.
GoDaddy will no longer have access to the ORG and will not provide support: Yes.
Plans and pricing may be different at Microsoft: Yes.
Organization can not be moved back to GoDaddy: Yes.
Passwords will be reset for Admin users, and all users will need to be set after the move: Yes.
Password will be sent to the Shopper Email Address above: Yes.
GoDaddy's Reseller Relationship will remain intact for up to a year (does not prevent purchasing elsewhere): Yes.

2. Wait for the Ticket: The rep will generate a migration ticket. It usually takes 1-2 business days. They will eventually send a temporary password to the GoDaddy "Shopper" email address on file. Note: GoDaddy will not tell you which accounts hold the Global Admin roles. Figure this out before you start.
3. The Password Reset Chaos: Once GoDaddy completes their script, log into the global admin account using the temporary password. You must now manually reset the passwords for every single user in the tenant so they can log back in.
4. Re-License Immediately: The GoDaddy licenses remain active for exactly 7 days. Buy the new licenses directly from Microsoft or your CSP immediately. You must remove the GoDaddy license from the user before applying the new Microsoft license to avoid a provisioning conflict.

The "Why" (Root Cause)

When a client buys email through GoDaddy, they aren't just buying a standard license; they are entering a Federated domain relationship. GoDaddy spins up a hidden Microsoft 365 tenant and sets up identity federation (SAML/WS-Fed). This means Microsoft Entra ID doesn't actually handle the authentication. When a user types their email into Outlook, Microsoft sees the domain, realizes it's federated, and bounces the login request over to GoDaddy's authentication servers.

GoDaddy also injects themselves as the Delegated Administrator (DAP). This allows their support reps to manage the tenant, but it fundamentally locks you out of advanced admin centers like Security or Compliance. When you initiate the "Move Away" process, GoDaddy runs a backend script that breaks this federation, converting the domain back to "Managed" status. Because the authentication authority is suddenly ripped back to Microsoft, the existing password hashes (which lived at GoDaddy) are destroyed. That is why a massive tenant-wide password reset is unavoidable.

Under the Hood (Technical Deep Dive)

Waiting 48 hours for GoDaddy to click a button is absurd. Because the vendor is lazy, most MSPs bypass the support ticket entirely and defederate the tenant via PowerShell in about ten minutes.

When you defederate manually, you are essentially attacking the federation trust. First, you have to find the hidden admin@[tenant].onmicrosoft.com account in Entra ID and reset its password so you have a true, non-federated backdoor. Then, you connect to the Microsoft Graph API using the Microsoft.Graph.Identity.DirectoryManagement module.

By running Update-MgDomain -DomainId "clientdomain.com" -AuthenticationType "Managed", you instantly sever the SAML trust. Within seconds, Microsoft takes over authentication. But the job isn't done. You still have to strip GoDaddy's access. If you cancel the GoDaddy billing without removing their Delegated Admin privileges first, GoDaddy's automated offboarding scripts will aggressively nuke the users and detach the custom domain.

To protect the data, you have to navigate to Settings > Partner Relationships in the M365 Admin Center and forcefully remove GoDaddy's reseller roles. Then, you dig into Entra ID Enterprise Applications and delete the "Partner Center Web App" to ensure no API hooks remain. Only then is it safe to log into GoDaddy and cancel the billing.

RMM & Automation Tips

Handling a 50-user password reset manually is a nightmare. Prepare a CSV file before the cutover with UserPrincipalName and NewPassword columns.

Use a PowerShell script on your management machine to loop through the CSV and force the resets the moment the domain becomes managed.

PowerShell

Import-Csv "C:\temp\passwords.csv" | ForEach-Object {
    $PasswordProfile = @{
        Password = $_.NewPassword
        ForceChangePasswordNextSignIn = $true
    }
    Update-MgUser -UserId $_.UserPrincipalName -PasswordProfile $PasswordProfile
}

Dump this new credential list into your PSA or IT documentation vault, and securely distribute it to the site managers.

Troubleshooting & Edge Cases

• Edge Case 1: Multiple Domains. You can move multiple domains out of a GoDaddy account, but you cannot merge them into a single, pre-existing M365 tenant during this process. GoDaddy creates a 1:1 tenant mapping. If the client bought two domains on GoDaddy, they live in two separate tenants. You'll have to use a third-party tool like BitTitan to migrate the mailboxes and consolidate them later.
• Edge Case 2: The Proofpoint Trap. GoDaddy uses Proofpoint (Advanced Email Security) for filtering. When you defederate, the MX records might still point to mx1-us1.ppe-hosted.com. If you cancel the GoDaddy sub, mail flow dies instantly. Update the MX records back to the standard [domain].mail.protection.outlook.com before you pull the plug on the subscription.