How to take over an unmanaged directory as administrator in Microsoft Entra ID (previously Azure Active Directory)
There are two ways to take over a DNS domain name in an unmanaged directory in Microsoft Entra ID. A self-service user, upon signing up for a cloud service that uses Microsoft Entra ID, is automatically added to an unmanaged Microsoft Entra directory corresponding to their email domain. The two ways to perform this action are:
- Internal admin takeover: You are added as the global administrator of the unmanaged directory, and no users, domains, or service plans are migrated to any other directory under your administration.
- External admin takeover: The DNS domain name associated with the unmanaged directory is added to your managed Azure directory. A user-to-resource mapping is established within your managed directory, ensuring uninterrupted access to services for users.
Internal admin takeover
Certain products like Microsoft 365, which encompass SharePoint and OneDrive, don't facilitate external takeovers. If you find yourself in such a situation, or if you're an admin seeking to take control of an unmanaged or "shadow" Microsoft Entra organization created by users who used self-service sign-up, you can achieve this through an internal admin takeover.
To perform an internal takeover, follow the below steps:
- Create a user context in the unmanaged directory by signing up for Power BI. (The below steps are based on this assumption for convenience.)
- In the Power BI site, select Start Free . Enter a user account that uses the domain name for the organization. Once you enter the verification code, check your email for the confirmation email.
- Select Yes, that's me in the confirmation email from Power BI.
- Sign into the Microsoft 365 admin center with the Power BI user account.
- You will receive a message that instructs you to Become the Admin of the domain name that was already verified in the unmanaged directory. Select Yes, I want to be the admin .
- Add the TXT record to prove that you own the domain name at your domain name registrar.
- Once these are verified, you can manage the Microsoft Entra organization.
Now, you are the global administrator of the organization in Microsoft 365. Remove it from Microsoft 365 and add it to a different managed organization to integrate the domain name with your other Azure services.
To add the domain name to a managed organization in Microsoft Entra ID,
- In the Microsoft 365 admin center, select the Users tab and create a new user account without the custom domain name. For example, you can use the .onmicrosoft.com domain.
- Ensure that this user account has Global Administrator privileges for the Microsoft Entra organization.
- Go to the Domains tab and select the domain name and select Remove .
- If you have any users or groups that reference the removed domain, they must be renamed to the .onmicrosoft.com domain. Force deleting the domain name automatically renames all users.
- Now, sign into Microsoft Entra admin center as at least a Global Administrator.
- Search for Domain Names in the search box. Click Add custom domain names and add the domain name. You also have to enter the DNS TXT records to verify the ownership of the domain name.
External admin takeover
If you manage an organization with Azure services or Microsoft 365, you can't add a custom domain if it's verified in another Microsoft Entra organization. However, you can take over an unmanaged organization as an external admin takeover through your managed Microsoft Entra ID.
Verifying domain ownership with Microsoft Entra ID transfers the domain from an unmanaged organization to your existing one. External admin takeover follows the DNS TXT validation process like internal admin takeover, but also moves users, subscriptions, and license assignments along with the domain.
External admin takeover is supported by Azure Rights Management and Exchange Online online services. The supported service plans include:
- Power Apps Free
- Power Automate Free
- RMS for individuals
- Microsoft Stream
- Dynamics 365 free trial
It is not supported for any service that has service plans that include SharePoint, OneDrive, or Skype for Business.
Azure AD PowerShell cmdlets for ForceTakeover option:
cmdlet
- connect-mggraph
- get-mgdomain
- new-mgdomain -BodyParameter @{Id="<your domain name>";}
- get-mgdomain
- Get-MgDomainVerificationDnsRecord
- confirm-mgdomain –Domainname <domainname>
- get-mgdomain
Usage
- When prompted, log in to your managed Microsoft Entra ID organization.
- Displays your domain names linked with the current organization.
- Integrates the domain name to organization as 'Unverified' (no DNS verification has been performed yet).
- The domain name is added to the list of domain names linked with your managed organization, but is listed as 'Unverified'.
- Supplies the information to put into new DNS TXT record for the domain (MS=xxxxx). Verification may not occur immediately due to the propagation time of the TXT record, so it is advisable to wait a few minutes before considering the -ForceTakeover option.
- If your domain name remains unverified, you can opt for the -ForceTakeover feature. This verifies the creation of the TXT record and initiates the takeover procedure.
- The -ForceTakeover option should only be applied to the cmdlet in cases where an external admin takeover is necessary, such as when Microsoft 365 services in the unmanaged organization impede the takeover.
- The domain list now displays the domain name as 'Verified'.
About M365 Manager Plus
ManageEngine M365 Manager Plus is a Microsoft 365 reporting, auditing, management and monitoring tool. With M365 Manager Plus, you can:
- Assign tasks to technicians without requiring elevated native privileges.
- Gain better understanding of your Microsoft 365 services with pre-configured reports that can be easily scheduled, exported, and emailed.
- Track all user and admin activities within your Microsoft 365 organization with detailed audit reports.
- Bulk manage tasks such as user creation, deletion, and password resets, and automate them easily.
- Constantly monitor your organization's health and performance.
- Reduce the administrator's workload by delegating custom roles to help desk technicians.
Continuously monitor and manage your Azure AD organizations.
Streamline your Microsoft 365 governance and administration with M365 Manager Plus
Get Your Free TrialRelated Resources
-
Entra ID administration
- How to create custom roles in Microsoft Entra ID
- How to setup SSO in Microsoft Entra ID
- How to configure Conditional Access in Microsoft Entra ID
- What is Microsoft Entra ID?
- What are Microsoft Entra ID administrative units
- How to configure external authentication methods in Microsoft Entra ID
- How to set up self-service group management in Entra ID
- How to takeover unmanaged directory as administrator
- How to change authentication type of subdomain
- What is self-service signup in Entra ID
- Delete a tenant in Microsoft Entra ID
- Manage custom domain names in Microsoft Entra ID
- Multi-tenant organization interaction
-
Entra ID auditing and reporting
-
Entra ID bulk user management
-
Entra ID dynamic groups
-
Entra ID group management
- How to enforce naming policy on Microsoft 365 groups in Entra ID
- How to clean up resources related to all user groups
- How to create basic groups and add members in Entra ID
- Group management cmdlets
- How to add group to another group in Entra ID
- How to delete a group in Entra ID
- How to remove a group from another group in Entra ID
- Check import status
- Edit group settings in Entra ID
- Migrate users with individual licenses to groups
- Restore deleted groups in Microsoft Entra ID
- Set expiration for Microsoft 365 groups in Entra ID
-
Entra ID group membership
- How to utilize Microsoft Entra groups in Entra ID
- How to add group members in Entra ID
- How to add group owners in Microsoft Entra ID
- How to add or remove group member automatically in Entra ID
- How to create group of guest users using native admin center
- How to manage groups and group memberships in Entra ID
- How to remove guests from all user groups in Entra ID
- How to utilize groups and administrator roles in Entra ID
- Add or remove a group from another group in Entra ID
- Bulk group members addition in Entra ID
- Bulk remove group members from Entra ID groups
- How to remove members/owners of a group in Entra ID
-
Entra ID group reports
-
Entra ID license management
- How to automate inactive license management for Entra ID users
- How to change license assignments for user in Entra ID
- How to assign licenses to groups in Entra ID
- How to leverage group-based licensing for optimizing license management in Entra ID
- License assignment troubleshooting
- Assign licenses in Microsoft Entra ID
- Azure AD license membership modification
- Remove licenses in Microsoft Entra ID
- View license plans and details in Microsoft Entra ID
-
Entra ID User management
- How to manage permissions using access reviews in Microsoft Entra ID
- How to restrict guest access permissions in Entra ID
- How to clean up unmanaged Microsoft Entra accounts
- How to assign custom security attributes to users in Entra ID
- How to clean up stale accounts using access reviews
- How to share accounts with Entra ID
- How to update custom security attributes to users in Entra ID
- Add guest users
- Add users to Azure AD
- Assign user roles with Entra ID
- Close user account in an unmanaged Microsoft Entra organization
- How to revoke user access in Microsoft Entra ID using PowerShell
- Microsoft 365 delete users
- Remove custom security attribute assignments from users
-
Entra ID user reports
- How to monitor risky sign-ins in Microsoft Entra ID
- License usage reports in Microsoft Entra ID
- How to get the last logon date of users in Microsoft Entra ID
- How to view Microsoft 365 login attempts using PowerShell and Microsoft Entra ID
- How to report the MFA status for users in Microsoft Entra ID
- How to monitor recently created users in Entra ID
- Track password changes by admins in Microsoft Entra ID
- How to monitor user role changes in Entra ID
- How to track self-service password resets in Microsoft Entra ID
- How to create custom sign-in reports in Entra ID
- How to find deleted users in Entra ID
- How to verify deleted users in Entra ID
- Filter users based on custom security attributes
- Download Microsoft 365 user list
-
Entra ID workbooks
- How to create custom Microsoft Entra ID workbooks
- What are Microsoft Entra ID workbooks
- How to handle privilege escalation in Microsoft Entra ID
- How to monitor risky sign-ins using Microsoft Entra ID workbooks
- How to monitor your Microsoft 365 MFA setup using Entra ID workbooks
- How to audit for app permission threats with Microsoft Entra workbooks
- Conditional Access Gap Analyzer workbook in Microsoft Entra ID
-
Exchange Online administration
- How to change deleted items retention for Exchange Online mailboxes
- How to change the branding of clutter notifications in Exchange Online
- How to configure message delivery restrictions for Exchange Online mailboxes
- How to configure moderated recipients in Exchange Online
- How to create user mailboxes in Exchange Online
- How to enable and disable MAPI for a mailbox in Exchange Online
- How to enable or disable Outlook on the web for a mailbox in Exchange Online
- How to manage mail contacts in Exchange Online
- How to manage permissions for recipients in Exchange Online
- How to manage resource mailbox in Exchange Online
- How to save sent items in a delegators mailbox in Exchange Online
- How to create and edit shared mailboxes in Exchange Online
- How to add or remove email address for a mailbox in Exchange Online
- How to configure email forwarding for a mailbox in Exchange Online
- How to convert a mailbox in Exchange Online
- How to delete or restore user mailboxes in Exchange Online
- How to manage user mailboxes in Exchange Online
-
Exchange Online groups
- Create and manage groups in Exchange admin center in Exchange Online
- How to create and manage distribution list groups in Exchange Online
- How to create and manage dynamic distribution list groups in Exchange Online
- How to create distribution group naming policy in Exchange Online
- How to manage guest access to Microsoft 365 groups in Exchange Online
- How to manage role groups in Exchange Online
- How to override the distribution group naming policy in Exchange Online
- How to view members of a distribution group in Exchange Online
-
Microsoft Teams
-
Public Folders
- Create public folder calendar in Exchange Online
- How to restore deleted public folder in Exchange Online
- How to setup public folders in new organization
- Migrate public folders to Microsoft 365 groups in Exchange Online
- Recover deleted public folder mailbox in Exchange Online
- How to mail-enable and mail-disable public folders in Exchange Online