Office 365 Tenant to Tenant Migration: Domain removal techniques

Migration of domain(s) from one tenant to another in Office 365 is a central point of ‘preserve domain’ T2T migration type. This is step you want to make as quick as possible, because it is time you users are unable to logon to Office 365 service (if vanity domain was used in UPN) and unable to receive emails to their mailboxes.

In theory it is all looking nice and easy – you just need to remove the vanity domain from UPNs and remove all email addresses containing the domain, then you release domain from old tenant and verify it on new one. That, however, sometimes looking very differently in practice. First of all there are some constraints you need to consider:

  1. It is not possible to remove email addresses from Office 365 Groups. That is by design – even you can play with Set-UnifiedGroup command, the email will not be deleted from Azure. Only option is to remove whole group in order to be able to release the domain.
  2. Azure Web Apps configured with vanity domain will prevent this domain from removal from the tenant – Configuring a custom domain name for a web app in Azure App Service using Traffic Manager.
  3. Subdomain email addresses must be also removed. Say you removing from your tenant, however some of your mail contacts have email address of, it is possible even without having subdomain to be verified on the tenant. In order to release vanity domain, you must remove such email addresses too.

Also, in AAD Connect scenario, you must disable synchronization in order to be able to start removal of email addersses – Turn off directory synchronization for Office 365.

Once disabled, you can proceed with removal:

  1. Change user UPNs to Always do that step first, before starting removal of email addresses. The step can be easlily automated.
  2. Remove email addresses containing vanity domain from user mailboxes, mail users, groups. Again there are scripts on the internet that allow you automated removal.
  3. Usually, first two steps should be enough to get the domain released, so you just go to the O365 Admin Portal and try to remove domain. That step will show you if there are any objects, that still containing email addresses. If you see only aliases in the list, you can proceed with removal as system will strip these aliases for you. If you see UPNs, Primary SMTP addresses or groups – then removal will fail.

Now, if the domain was successfully removed only thing you need to do is to verify it on another tenant and proceed with rest of your migration, however sometimes you may find that there are still objects preventing you to release domains. Most common issues I see in practice:

  • Unable to remove email address from MailUser who have no mailbox. You trying to remove the email address from EAC or PowerShell, command completes successfully, but email address is still not removed. In case you are not able to remove the user completely only option is to assign ExO license to this user – when done, you will be able to remove email address and reclaim the license back.
  • Unable to find account preventing release of the domain. Sometimes command Get-MsolUser -Domainname <domain_name> will not return you any user, however it seems that you still have some users keeping domain from deletion. If this is your case, following command do better job: Get-MsolUser -All | where {$_.ProxyAddresses -like “*”}

If you have any concerns about this, just let us know – we are keen to provide you advice and guidance on it.

Office 365 PowerShell connection script

If you working with Office 365 PowerShell on daily basis, you may find that it is taking too much time to connect your Office 365 console, especially if you working with multiple tenants. You have to note usernames, passwords for all of the tenants and copy/paste them every time you want to make connection. Below you will find description, how to make it “single command” task.

Because that script will give access to your tenant without typing any username/password, I would suggest that you should not implement that on any public machine. Make sure that you are only person who can execute connection script.

OK, let’s start.

First of all we need to create addition file where encrypted tenant’s password will be stored. As an example create directory “O365Connections” on your C: drive and then create folder “keys” in it.

Start PowerShell prompt and type following command:

Read-Host -Prompt "Enter your tenant password" -AsSecureString | ConvertFrom-SecureString | Out-File "C:\O365Connections\keys\tenant1.key"

Continue reading

Unable to retrieve Free/Busy information for some Office 365 mailboxes. Event ID: 4002; Source: MSExchange Availability;


If you running Hybrid Environment or just trying to share free/busy information between your on-premise Exchange Organization and Office 365 you may experience that free/busy information for some mailboxes which were recently moved to O365 is not available. Please note that problem does not affect free/busy from on-premise to O365, if you cannot get free/busy for on-premise mailboxes – it must be another issue.

In addition you may see error similar to following in Application Event Log of your Hybrid server:

Event 4002, MSExchange Availability
Process 4192: ProxyWebRequest FederatedCrossForest from S-0-0-00
-0000000000-0000000000-000000000-0000 to https://server_name.outl failed. Caller SIDs: WSSecur
ity. The exception returned is Microsoft.Exchange.InfoWorker.Comm
on.Availability.ProxyWebRequestProcessingException: System.Web.Se
rvices.Protocols.SoapException: An internal server error occurred
. The operation failed.

Continue reading

How to get services.wsdl for Office 365?

In case you looking for downloading services.wsdl for Office 365 possible that you may find that is  not so straightforward.

In general services.wsdl usually located on URL:

https://server_name/ews/services.wsdl but

How to determine actual server for Office 365 mailbox?

On internet you may find such kind of solution:

— Login to your e-mail account using Outlook Web App (OWA).
— Click Options > See All Options > Account > My Account > Settings for POP, IMAP, and SMTP access.
— In the list of entries, locate the server name

In fact it is not exactly correct, because name you will see there is – which is global alias and does not pointing to actual server:
Continue reading