Defederating from GoDaddy....things a hair different

YeOldeStonecat

YeOldeStonecat

Well-Known Member
Reaction score
6,998
Location
Englewood Florida
Onboarding a new big electrical contractor...their prior IT guy had them setup with GoDaddy for 365. Ugh.
Oversubscribed just a couple of Biz Std licenses to different users...with those other users being on essentials licenses.
Also essentials licenses for email archives for each user... //huh?

GoDaddy never setup the DKIM or DMARC records, plus left all of the webmail, mail, pop, smtp, imap records for secureserver.net

The usual steps setup by Nick from TMinus that many people followed for years, Powershell ....changed a bit since those prior languages depreciated. Need to do in Powershell via Graph now.
Link to latest way...
blog.cloudcapsule.io

Defederating GoDaddy 365

Learn how to seamlessly defederate your Microsoft 365 tenant from GoDaddy in 10 minutes, gaining greater control over security and integrations.
blog.cloudcapsule.io blog.cloudcapsule.io

I ended up still having weird errors doing the above copy/paste....doing some Google Fu...CoPilot led me to just 4x lines...

...Launch PowerShell as admin

Install-Module Microsoft.Graph.Identity.DirectoryManagement -Force

Connect-MGGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"

Get-MgDomain | Select Id, AuthenticationType

Update-MgDomain -DomainId "yourdomain.com" -Authentication Managed

...(in last line above, replace YOURDOMAIN.COM with actual domain...keep within the quotes)

*************************
After the commands above have been run (you can confirm that the domain was defederated by running Get-MgDomain | Select Id, AuthenticationType and looking at the output)....the next steps are to wait for the process to cook. Eventually admin web pages will be able to be opened up. You were always able to get into portal.azure.com but now you can get to all the normal ones, admin.microsoft.com, Defender portal, Intune portal, Exchange, etc etc.
User accounts must have their passwords changed. From the admin side, you CAN go in and just paste in their prior passwords if you're happy with them. Else take this as a chance to make users password more complex. If they try to log in, they will be presented with a password change page. But you can over rule that from the admin side so I document users credentials before doing the defed steps.

Some computers may require signing out of office apps and back in again. More likely if you're doing license upgrades too. But quick enough to settle in.
 
Last edited:
I still hate that process, because as soon as you push that button... the powershell context you're in is the only admin context in the entire estate until you get your admin account password reset.

Microsoft should have slammed the door in Godaddy's face on this...
 
Sky-Knight said:
Microsoft should have slammed the door in Godaddy's face on this...
Click to expand...
I'm glad there at least IS a process, but because I only run up against this a couple of times per year, I still hold my breath through the whole thing. There is absolutely NO benefit to the user being locked into their attempt at a walled garden. Lower security, higher prices, support wait times, clunkier processes for anything they let the user do, stupid 10GB email plans, I'm sure there are others. At least their support seems to be competent once you get them, still - such a disappointment when talking to a new prospect and they say "Our email is with GoDaddy!" - like they think it's the best choice.
 
Yeah I lay in several GA accounts before starting the process. Setup MFA on them ahead of time before the defed steps, and change their passwords once the defed steps are completed but I am STILL logged in with the first GA account and in powershell.
 
I have 1x user left to get setup with the MS Auth app on their phone. And then I started kicking in conditional access 'n cranking up Defender settings, some attack surface reduction, and crank in other security best practices to get up to our standard. We guarantee to our clients on our managed plans with our 365 security management line item...a minimum of 75 on their secure score.

Here is the secure score right now of a defederated duhdaddy tenant....

godaddyscore.jpg
 
And..2nd GoDaddy defed tenant I did in the past 2 weeks...both of them still had the SkyKick migration account as Global Admin....Active....with the app still in place.
I always demote and disable any account created for migration tools...after the migration is done. And remove its enterprise app.
 
Sky-Knight said:
The key words here are "several years", scores trend downward with time as requirements increase due to the endless march of things.
Click to expand...

Based on what you're saying, I'd expect things defederated several years ago would have lower scores today than they did the day of defederation. I didn't look in 2023, but the current score for the one I reference is approximately 3 times higher than that of the one shown by @YeOldeStonecat (which I presume was recently defederated, but if not . . .).

My comment was one of surprise that a freshly defederated M365 tenant would have a score all the way down at 16%. "The defaults" should have a higher score than that.
 
britechguy said:
Based on what you're saying, I'd expect things defederated several years ago would have lower scores today than they did the day of defederation. I didn't look in 2023, but the current score for the one I reference is approximately 3 times higher than that of the one shown by @YeOldeStonecat (which I presume was recently defederated, but if not . . .).

My comment was one of surprise that a freshly defederated M365 tenant would have a score all the way down at 16%. "The defaults" should have a higher score than that.
Click to expand...
The defaults are much higher, but Godaddy doesn't use defaults. Also, it's possible the score was taken before the MFA settings where settled. Or someone weakened it before hand... that happens too sometimes.
 
I just don't understand why MS even allows setups that would score that low. I get that some setups "require" (likely to placate vendors who won't fix their software) lower security to work, but that has to be a small slice of the total, doesn't it? The whole concept of gamifying security like they have done seems......I dont' know.....just dumb?

The current setup is insecure by default and requires work to make it more secure. It should be completely the opposite. Secure by default and requires work to make it insecure if necessary!
 
HCHTech said:
I just don't understand why MS even allows setups that would score that low. I get that some setups "require" (likely to placate vendors who won't fix their software) lower security to work, but that has to be a small slice of the total, doesn't it? The whole concept of gamifying security like they have done seems......I dont' know.....just dumb?

The current setup is insecure by default and requires work to make it more secure. It should be completely the opposite. Secure by default and requires work to make it insecure if necessary!
Click to expand...
Because the secure line moves forward, the current state does not. And security is the opposite of usability. Forcing orgs forward means breaking a ton of things.

The license agreement and the operating model of SaaS services also precludes this action. Because identity control falls on the lessee, not the lesser in this case.
 
Sky-Knight said:
Because the secure line moves forward, the current state does not.
Click to expand...

I believe that what he's saying, and I know what I'm saying, is that in "straight out of the box" state Microsoft should be making certain that a tenant is "reasonably secure": Not locked down tight as a drum nor wide open. They can do this.

What the lessee does as far as ratcheting security up/usability down is their call. But Microsoft can, and should be, moving security levels along with that line for "newly issued" tenants. They cannot, of course, touch what a lessee might choose to modify after the lease is already extant, nor should they.
 
britechguy said:
I believe that what he's saying, and I know what I'm saying, is that in "straight out of the box" state Microsoft should be making certain that a tenant is "reasonably secure": Not locked down tight as a drum nor wide open. They can do this.

What the lessee does as far as ratcheting security up/usability down is their call. But Microsoft can, and should be, moving security levels along with that line for "newly issued" tenants. They cannot, of course, touch what a lessee might choose to modify after the lease is already extant, nor should they.
Click to expand...
They do, it's called Security Defaults.
 
You must log in or register to reply here.

Similar threads

callthatgirl
GoDaddy Microsoft 365 Pros and Cons
Replies
9
Views
7K
Your PCMD
Your PCMD
thecomputerguy
How do I break into a computer that is Azure joined as a non-admin account?
Replies
8
Views
3K
Sky-Knight
Sky-Knight
britechguy
Wiping a Microsoft Surface prior to e-recycling
Replies
14
Views
3K
fincoder
fincoder
YeOldeStonecat
Lenovos new ThinkPad X9 series
Replies
14
Views
2K
timeshifter
timeshifter
thecomputerguy
Adding DKIM Records to O365
Replies
4
Views
946
Sky-Knight
Sky-Knight
Back
Top