How to Break Free from GoDaddy 365 Without Losing Your Email or Your Mind

Let’s be real. If you’ve landed here, something in your Microsoft 365 setup isn’t working the way it should.

Maybe you tried turning on MFA and got blocked.
Maybe you're planning a move to Google Workspace, but authentication is getting in the way.
Or maybe you're just tired of being locked out of the admin settings you should already control.

And then you figure it out.
GoDaddy still has your domain federated.

You didn’t ask for that setup.
You didn’t choose "federation."
But now it’s causing problems, and you're stuck with a Microsoft 365 tenant you don’t fully control. GoDaddy is still sitting in the middle.

This guide is here to help you change that.
You’ll learn how to remove GoDaddy’s grip on your domain, step by step, without breaking email, losing user logins, or getting stuck in support limbo.

‍

What “Federated with GoDaddy” Actually Means

When your Microsoft 365 account is set up through GoDaddy, your domain doesn’t connect directly to Microsoft the way a normal setup would. Instead, GoDaddy inserts itself in between. That’s what “federated” means in this case.

Instead of Microsoft handling your login and authentication directly, your users get routed through GoDaddy’s systems first. It’s like having a middleman you didn’t ask for, still holding the keys to your tenant.

Here’s why that matters:

GoDaddy controls how users log in, not Microsoft
They keep delegated admin access, even if you didn’t explicitly give it
You’re limited in what you can change from licenses and users to security settings

You might still have access to parts of the admin portal, but the most important stuff is either blocked, hidden, or handled differently. That’s why basic things like enabling MFA or setting up secure login policies often don’t work.

To make it clearer, here’s a quick side-by-side comparison:

Federated vs. Managed Microsoft 365 Tenant Access

Feature / Control	Federated with GoDaddy	Managed (Direct)
Full control over user logins	No	Yes
Ability to turn on MFA, SSO, or CA	Limited	Full Access
Admin role assignment and customization	Restricted	Yes
Direct license management and billing	GoDaddy-locked	Flexible
Security settings and policies	Partially blocked	Full control
Mail migration or platform switching	Often problematic	Simple

‍

Why You Need to Defederate (Probably Yesterday)

If you’re still on a GoDaddy-federated Microsoft 365 tenant, there’s a good chance it’s already causing problems. Some of them might seem small at first, but they often turn into bigger headaches as your setup grows or changes.

Here are a few signs your current setup is holding you back:

You tried turning on multi-factor authentication, but it’s blocked or half-working
You want to set up Conditional Access, but the options you need are missing
You can’t manage DNS records, licenses, or billing the way you expect
You're planning a migration to Google Workspace or another setup, but GoDaddy is getting in the way

These are more than just annoying admin limits. They create real risks.

Here’s what’s really at stake:

Security exposure: GoDaddy keeps delegated access to your tenant, even after you think you’re managing things yourself. That means a third party still has backend access to your Microsoft environment.
Mail flow disruption: If you change DNS records or try to migrate without defederating first, email delivery can break. Users may get locked out or start missing messages.
Backup limitations: Some backup tools don’t work properly with federated tenants. You might not even notice until it’s too late and something needs to be restored.
Data portability: If you ever want to switch providers or move your domain, a federated setup will slow everything down and make the process riskier.

Most of these issues don’t show up until you try to make a change like switching platforms, improving security, or scaling up your team. And by then, untangling the setup becomes a much bigger job.

‍

Who Should Definitely Be Doing This

Not sure if defederating is worth the effort? If you fall into one of the groups below, it’s not just worth it, it's probably urgent.

1. SMB IT Admins

You’re the one responsible for keeping things secure and running smoothly. But right now, you’re stuck with a setup you don’t fully control. If you’ve ever said, “Why can’t I just turn this on?” this is for you.

2. Freelancers and MSPs

You’ve picked up a new client, and the first thing you notice is a GoDaddy-tied tenant that won’t let you do anything useful. Before you can even secure their data or plan a migration, you’ve got to clean up the mess. Defederation is your first real step forward.

3. Founders and Scaling Startups

GoDaddy’s package made sense when you were just getting started. Now that your team is growing and your tech stack is evolving, those shortcuts are turning into roadblocks. You need full access to manage your environment properly.

4. Security-Focused Organizations

If you take data protection seriously whether for internal reasons or compliance you can’t afford to leave a third party like GoDaddy with backend access. Removing that connection is a necessary step in locking down your environment.

5. Teams Migrating to Google Workspace

You’re ready to switch platforms, but nothing moves until you get authentication and DNS untangled. GoDaddy’s federation setup is going to stall or break your migration unless it’s handled first.

‍

The Straightforward Defederation Process

This is the part you came for how to actually remove GoDaddy from your Microsoft 365 setup. We’ll walk through it in plain language, with optional PowerShell steps for the folks who need them.

Don’t worry if you’re not super technical. These steps are straightforward, and you don’t need to be a PowerShell wizard to follow along.

Step 1: Check if Your Domain Is Federated

Before you do anything else, check your domain’s authentication status.

If you’re comfortable using PowerShell, run this:

Get-MsolDomain | Where-Object {$_.Authentication -eq "Federated"}

If the result shows your domain as “Federated,” you’re still connected to GoDaddy.

Prefer to stay in the admin center? You can also head to Microsoft 365 Admin Center > Settings > Domains, select your domain, and look for “Federated” under authentication method.

Step 2: Install Microsoft Graph PowerShell (If Needed)

If you haven’t used Microsoft Graph PowerShell before, install it with this command:

Install-Module Microsoft.Graph -Scope CurrentUser

Once installed, connect to your tenant:

Connect-MgGraph -Scopes "User.ReadWrite.All","Directory.ReadWrite.All"

For most setups, this will give you enough access to run the defederation command. You can also follow Microsoft’s official Graph PowerShell install guide if you need a deeper walkthrough.

Step 3: Run the Defederation Command

This is the actual command that tells Microsoft to stop using GoDaddy as your domain’s identity provider:

Set-MsolDomainAuthentication -DomainName yourdomain.com -Authentication Managed

Make sure to replace yourdomain.com with your actual domain.

If you have more than one federated domain, you’ll need to run this command for each one.

Step 4: Remove GoDaddy’s Delegated Admin Access

Defederation stops GoDaddy from handling authentication, but it doesn’t always remove their backend access. You need to revoke delegated admin rights too.

To do that:

Go to the Microsoft 365 Admin Center
Open Settings > Partner Relationships
If you see GoDaddy listed there, click into it and remove the delegated access

This step is important. Even after defederation, GoDaddy may still have elevated permissions unless you remove them manually.

Step 5: Replace DNS Records

Now it’s time to clean up your DNS. GoDaddy’s DNS records are tailored for their federation setup, so you’ll want to replace them with standard Microsoft records.

You can find Microsoft’s default DNS settings here:

Here’s a quick comparison to guide you:

Record Type	GoDaddy Setup (Federated)	Microsoft 365 Setup (Managed)
MX	Points to GoDaddy relay	Points to Microsoft (e.g. domain.mail.protection.outlook.com)
CNAME	Often custom GoDaddy URLs	Standard Microsoft entries
SPF	Includes secureserver.net	Includes only Microsoft senders

Make sure your DNS provider (whether it’s still GoDaddy or somewhere else) reflects the new records. This is what allows mail flow, Teams, and other services to work properly.

Important: If you skip this part or do it out of order, mail can stop flowing and user logins may break. Double-check each record before moving on.

‍

Post-Defederation Cleanup (Don’t Skip These)

Defederation isn’t the finish line. Once you’ve removed GoDaddy as the identity provider and cleaned up DNS, there are still a few things you’ll want to check.

These steps make sure everything runs smoothly and that GoDaddy is fully out of the picture.

1. Reset All User Passwords

GoDaddy’s system handled authentication before. Now that you’ve switched to direct Microsoft login, all users should reset their passwords. This ensures that their credentials are now being verified through Microsoft only.

You can reset them yourself or prompt users to do it at next login.

2. Check License Status

If you were using GoDaddy-purchased licenses, they might stop working soon often within a few days of defederation. Users could suddenly lose access to email, OneDrive, or Teams without warning.

Make sure each user has a valid Microsoft 365 license assigned under your new CSP or direct tenant. This is a good time to review your license count and switch to a model that fits your current needs.

3. Fix Mail Connectors and Integrations

If you had connectors or security services like Proofpoint, Mimecast, or spam filters set up through GoDaddy, they might rely on the old authentication or DNS setup.

Revisit each connector and make sure it's still routing mail as expected. In some cases, you’ll need to reconfigure smart hosts, SPF records, or IP whitelists to reflect your updated mail flow.

4. Test Everything

Don’t assume things are fine just because the admin panel looks good. Run a simple checklist:

Can all users log in?
Is MFA working?
Can they send and receive emails?
Are calendar invites, Teams messages, and file sharing functional?

Test from multiple user accounts and devices if possible. This is where most issues show up.

5. Double-Check That GoDaddy Is Really Gone

Sometimes, delegated access or service hooks from GoDaddy can stick around even after defederation.

Do a final audit:

Go to Microsoft 365 Admin Center > Partner Relationships
Check for any remaining GoDaddy entries and remove them
Review admin roles and service principals to confirm nothing unusual is left behind

If you still see GoDaddy listed anywhere with access or control, clean it up before moving on.

‍

Special Scenarios You Should Know About

Defederating your GoDaddy-connected domain is usually a smooth process, but there are a few specific situations that can catch people off guard. If any of these apply to you, take a minute to read through them before making changes.

1. Managing Multiple Federated Domains? You’ll Need to Defederate Each One

If your tenant has more than one domain and all of them were set up through GoDaddy, each one needs to be defederated individually. Running the defederation command on one domain doesn’t affect the others.

Check all your domains in the Microsoft 365 Admin Center or use PowerShell to list them. Then defederate each domain that shows as "Federated."

2. Using Hybrid AD Sync? Pause Before You Touch Anything

If you're syncing on-prem Active Directory with Microsoft 365 using Azure AD Connect (or Entra Connect), defederation can get tricky. Your authentication flow is already customized, so switching from federated to managed might cause login or sync issues if you don’t plan ahead.

Make sure your hybrid setup is documented, and consider testing changes in a dev environment or during off-hours. If you're unsure, loop in someone who manages hybrid environments regularly.

3. Seeing SharePoint URLs with netorg####? That’s Not Going Away

This one surprises a lot of people. If your SharePoint or OneDrive URLs were provisioned while the domain was federated through GoDaddy, they might include netorg#### as part of the URL.

Unfortunately, that naming structure is permanent. You can’t rename the tenant or get cleaner URLs without migrating everything to a brand-new tenant, which is usually not worth the hassle.

The good news? It’s only cosmetic. It doesn’t affect performance or features just how the URLs look.

4. Backup Tools Struggling to See Your Tenant? Federation Might Be the Problem

Some backup platforms and third-party tools have trouble connecting to federated Microsoft 365 tenants. If you’ve run into errors during backup setup, federation might be why.

Before defederating, consider exporting essential mailbox data or running a backup. Once you're a managed tenant, those tools should connect without issues.

5. Still See GoDaddy Apps or Permissions? Remove Them Manually

Even after defederating and removing partner access, some GoDaddy service principals or apps might still be hanging around in your Azure AD tenant.

Here’s how to check:

Go to Azure Active Directory > Enterprise Applications
Filter by “All Applications” and look for anything GoDaddy-related
Remove any unused or unnecessary entries

While these leftover pieces don’t always cause issues, they’re better removed to keep your tenant clean and secure.

‍

Defederation = Real Security

This isn’t just about admin control or convenience, defederating your Microsoft 365 domain is a serious security upgrade.

Let’s break down why.

Federation Leaves a Hidden Backdoor

When GoDaddy is still federated with your domain, authentication doesn’t happen directly through Microsoft. Instead, logins route through GoDaddy’s systems first. That means there’s a third party in your sign-in flow.

If their systems are ever compromised or misconfigured, your users could be exposed without you even knowing. And because GoDaddy controls the federation layer, you can’t monitor or change how that authentication works.

Delegated Admin = Persistent Access Risk

Even after you've taken over billing and day-to-day admin tasks, GoDaddy can still have delegated admin rights in your tenant.

That means they could log in, view user data, or make changes often without your knowledge.

If you're serious about security or compliance, that kind of open access shouldn't exist. You can’t enforce policies, apply least-privilege principles, or manage identity if someone else still has a foot in the door.

Zero Trust Doesn’t Work with Federation in Place

The whole point of zero trust is that you verify every connection, every login, every access request.

But when federation is in place, you’re giving trust to a system outside your control. You can’t enforce MFA globally, monitor real-time login behavior, or use advanced access policies the way Microsoft designed them.

Defederating is a critical step toward making your Microsoft 365 environment actually secure.

If You're in a Regulated Industry, This Is Non-Negotiable

Industries like healthcare, finance, legal, and education have strict security and privacy requirements.

HIPAA demands full access logging and access control
ISO 27001 requires tight identity governance
GDPR insists on proper data handling and accountability

You can’t meet those standards if a third-party vendor still has hidden access to your environment.

Defederation isn’t just best practice. In many cases, it’s required to stay compliant.

Breaking away from GoDaddy’s Microsoft 365 setup might seem like a technical hassle at first. But once you go through the process, you’ll finally have a Microsoft tenant that’s fully under your control. No more third-party barriers, no hidden access, and no frustrating limitations.

You’ll be able to manage security the right way, assign licenses freely, and set up policies that actually stick. It’s a one-time cleanup that gives you long-term control and peace of mind.

If you're unsure about anything or just want a second opinion before making changes, we’ve got you covered.

Cyberquell offers a free Federation Check for Microsoft 365 domains still tied to GoDaddy.
We’ll review your setup, spot risks you may have missed, and give you a clear list of fixes. No installs, no disruption, and no sales pressure.

‍

FAQs

Will I lose email during this?

No, not if you follow the steps in order.

As long as you update your DNS records after defederation and double-check mail flow, your email will keep working. If anything breaks, it’s usually because of missed or incorrect DNS updates.

Do I need to call GoDaddy?

No. You don’t need GoDaddy’s help to defederate your domain. Microsoft gives you everything you need to take back control.

However, if GoDaddy licenses are still active, you may want to cancel them afterward to avoid double billing.

What if I only have one domain?

That’s actually simpler.

If you only have one federated domain, you just need to defederate that one, remove GoDaddy’s admin access, and clean up your DNS. You won’t have to worry about cross-domain conflicts or partial setups.

What happens to my users’ logins?

Their usernames (email addresses) stay the same, but they’ll now authenticate directly with Microsoft.

You’ll want to reset passwords after defederation to avoid login issues. If MFA wasn’t working before, now’s a good time to set it up properly.

Can I reverse it if something breaks?

Technically, yes, but you shouldn’t need to.

If something goes wrong, you can re-federate the domain using PowerShell or restore previous DNS records. That said, most issues are caused by skipped steps, especially around DNS or licenses.

‍

Table of contents