Many small and mid-sized organizations purchase Microsoft 365 through GoDaddy because it offers a simple bundle that includes domain registration, email hosting, and Office applications.
When Microsoft 365 is purchased through GoDaddy, the tenant is typically federated. This means GoDaddy controls authentication, licensing management, and certain administrative functions within the tenant.
While this setup works initially, it limits your ability to:
-
Apply advanced security policies
-
Implement Conditional Access and MFA strategies
-
Purchase or modify licensing freely
-
Work directly with Microsoft support
-
Fully control your tenant configuration
To regain full control, organizations must defederate their Microsoft 365 tenant from GoDaddy, converting it into a standard Microsoft-managed tenant.
As a Managed Service Provider (MSP) with deep experience in Microsoft 365 migrations, Boston Managed IT has helped many organizations successfully remove GoDaddy federation and restore full administrative control.
This guide walks through the safe and current process as of early 2026, including critical precautions to avoid downtime or data loss.
Why Defederate Microsoft 365 from GoDaddy?
Defederating your tenant provides several important benefits.
Full Administrative Control
You regain full Global Administrator access to the Microsoft 365 tenant.
Security Improvements
You can implement enterprise-grade security features such as:
-
Multi-Factor Authentication (MFA)
-
Conditional Access
-
Identity Protection
-
Device compliance policies
Licensing Flexibility
You can purchase licenses:
-
Directly from Microsoft
-
Through a Cloud Solution Provider (CSP)
-
Through your MSP
This allows you to optimize licensing costs and plans.
Direct Microsoft Support
Once GoDaddy is removed, you can contact Microsoft support directly rather than going through GoDaddy’s support channels.
Prevent Destructive Offboarding Scripts
If you cancel GoDaddy’s Microsoft 365 subscription before removing delegated admin access, GoDaddy may run an automated offboarding script that can:
-
Delete users
-
Remove your primary domain
-
Break tenant access
Because of this risk, the order of operations is extremely important.
Pre-Defederation Checklist
Before beginning the process, confirm the following:
Global Administrator Access
You must have access to a true Global Admin account within Microsoft 365.
DNS Access
You must be able to modify DNS records at your domain registrar.
User Inventory
Prepare a list of:
-
All users
-
Their assigned licenses
-
Their email addresses
Password Plan
After defederation, all user passwords must be reset.
Plan either to:
-
Assign temporary passwords, or
-
Collect new passwords in advance.
Email Security Services
Determine whether GoDaddy is providing any email filtering service such as:
-
Proofpoint
-
Mimecast
-
Barracuda
If so, your MX records must be updated after the migration.
High-Level Defederation Steps
The full defederation process consists of the following phases.
Step A — Prepare users
Step B — Obtain Global Admin access
Step C — Convert the domain from Federated to Managed
Step D — Reset user passwords
Step E — Add licensing through Microsoft or a CSP
Step F — Update DNS and email security settings
Step G — Remove GoDaddy delegated admin and enterprise applications
Step H — Cancel the GoDaddy Microsoft 365 subscription
Step A — Prepare Your End Users
Defederating the tenant forces every user to sign out and reset their password.
To avoid disruption:
-
Inform users ahead of time.
-
Schedule the change during non-business hours.
-
Provide instructions for signing back into Microsoft applications.
Users may need to reauthenticate in:
-
Outlook
-
Microsoft Teams
-
OneDrive
-
Office desktop applications
Typical sign-in steps:
File → Account → Sign Out → Sign In again.
Email flow will not be interrupted, but users will experience authentication prompts.
Step B — Obtain True Global Administrator Access
When Microsoft 365 is provisioned through GoDaddy, the primary admin account often lacks full Global Admin rights.
You must access the native Microsoft tenant administrator account.
Steps:
-
Sign into
portal.azure.com -
Open Microsoft Entra ID (Azure Active Directory).
-
Navigate to:
Users → All Users
-
Locate the built-in admin account that ends with:
tenantname.onmicrosoft.com
-
Reset the password for that account.
-
Sign in at:
office.com
-
Set a permanent password.
This account now has full permissions required to run the defederation commands.
Step C — Remove Federation from the Domain
Before running these commands, ensure that password reset plans are ready.
Users will not be able to authenticate until passwords are reset.
Install Microsoft Graph PowerShell
Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph.Identity.DirectoryManagement
Connect to Microsoft Graph
Connect-MgGraph -Scopes "Domain.ReadWrite.All","Directory.AccessAsUser.All"
Check Current Domain Authentication
If the output shows Federated, the tenant is still controlled by GoDaddy.
Convert the Domain to Managed
If your tenant contains multiple domains, each domain must be converted to Managed authentication.
Verify the Change
Run:
Get-MgDomain | Select Id,AuthenticationType
The domain should now display:
Step D — Reset User Passwords
Once the domain becomes managed, users cannot authenticate until passwords are reset.
There are two approaches.
Option 1 — Reset via Admin Portal
-
Sign in to
admin.microsoft.com -
Go to:
Users → Active Users
-
Select a user.
-
Click Reset Password.
This method works for small organizations.
Option 2 — Bulk Reset with PowerShell
For larger tenants, create a CSV file:
Example:
UserPrincipalName,NewPassword
alice@company.com,TempPassword123!
bob@company.com,TempPassword123!
Use PowerShell with Microsoft Graph to loop through users and apply the new password.
Users can be forced to change their password at the next sign-in.
Step E — Add a CSP Provider or Purchase Licenses
After defederation, licenses are no longer supplied by GoDaddy.
You must obtain licenses either through:
Option 1 — Cloud Solution Provider (CSP)
Accept a partner relationship with a CSP or MSP.
The CSP can:
-
Provision licenses
-
Manage billing
-
Provide support
Option 2 — Direct Purchase from Microsoft
Licenses can be purchased directly in the Microsoft Admin portal:
Billing → Purchase Services
After purchasing, assign licenses to users in:
Users → Active Users
Remove any legacy GoDaddy licensing assignments.
Step F — Review Email Security and Update DNS
Some GoDaddy plans include email security services that route mail through external filters.
Common examples include:
-
Proofpoint
-
Mimecast
-
Barracuda
If your MX records point to these services, they must be replaced with Microsoft’s MX record.
Check Current MX Records
Review your domain’s DNS zone.
Look for records pointing to external filtering services.
Obtain Microsoft MX Record
Go to:
admin.microsoft.com
Settings → Domains
Locate the MX record provided for your tenant.
Update DNS
Replace the existing MX records with the Microsoft record.
Remove any additional filtering MX records unless you intend to continue using a third-party gateway.
DNS propagation can take 24–48 hours.
Step G — Remove GoDaddy Delegated Admin Access
This step is critical.
If you cancel the GoDaddy subscription before removing delegated admin access, GoDaddy may run an offboarding automation that deletes users and removes the domain.
Remove GoDaddy Partner Access
-
Go to the Microsoft 365 Admin Center.
-
Navigate to:
Settings → Partner Relationships
-
Select GoDaddy.
-
Remove all delegated admin roles.
Remove the GoDaddy Enterprise Application
GoDaddy also installs an Azure Enterprise Application called:
Partner Center Web App
To remove it:
-
Go to
entra.microsoft.com -
Navigate to:
Enterprise Applications
-
Search for:
Partner Center Web App
-
Open Properties.
-
Click Delete.
This step prevents GoDaddy from performing automated changes after the tenant is unfederated.
Step H — Cancel the GoDaddy Microsoft 365 Subscription
Once all prior steps are completed:
-
Domains are managed
-
Passwords are reset
-
Licenses are reassigned
-
Delegated admin access is removed
You can safely cancel the GoDaddy Microsoft 365 subscription.
Log into the GoDaddy billing portal and disable renewal for the Microsoft 365 service.
Cancelling the Microsoft 365 subscription does not affect your domain registration.
Your domain will remain active.
Frequently Asked Questions
Will I lose email or Teams data?
No.
Defederation does not delete mailboxes, Teams data, or SharePoint content.
Can SharePoint URLs be renamed after migration?
Yes.
Microsoft now supports renaming SharePoint site URLs.
How long does the process take?
The technical process typically takes 60–90 minutes.
DNS changes may take 24–48 hours to fully propagate.
Can I federate to another identity provider afterward?
Yes.
After defederation, the tenant can later be federated with providers such as:
-
Okta
-
Azure AD B2B
-
Other identity providers
Conclusion
Defederating Microsoft 365 from GoDaddy restores full control of your tenant and enables modern security, licensing flexibility, and direct Microsoft support.
Although the process involves several steps, following the correct sequence prevents downtime and protects your tenant from destructive automation scripts.
Boston Managed IT regularly assists organizations with Microsoft 365 tenant recovery, licensing optimization, and security hardening. With proper preparation, defederation can be completed safely and efficiently.
