If you’re considering defederating from GoDaddy 365, you're likely looking to take control of your domain and email setup. GoDaddy’s managed Microsoft 365 solution is a convenient choice for many businesses, but as your company grows, you might find that it limits your flexibility.
Moving away from GoDaddy's managed services can give you direct access to the full features of Microsoft 365, or perhaps you're thinking about migrating to another solution, like Google Workspace. Whatever your reasons, defederating is a key step toward gaining more independence and control over your business’s email and collaboration tools.
In this guide, we’ll break down the entire defederation process in simple terms, step by step. We’ll help ensure you don’t miss any critical steps and that you avoid any pitfalls that could leave your email system in disarray.
Understanding Federation vs. Defederation
Before diving into the defederation process, it’s important to understand the difference between federation and defederation, especially when dealing with GoDaddy’s managed Microsoft 365 environment.
What is Federation in GoDaddy’s 365 Environment?
Federation in this context means that GoDaddy manages your Microsoft 365 services, including your domain and email setup. When your domain is federated with GoDaddy, GoDaddy controls much of the configuration and administration for your Microsoft 365 tenant. This often means you’re relying on GoDaddy to handle essential aspects of your account, such as licensing, user management, and DNS settings.
Limitations of GoDaddy-Managed Tenants
While GoDaddy’s managed service may be convenient, it does come with its set of limitations:
- Admin Restrictions: As a customer, you may not have full control over all the admin settings and configurations in Microsoft 365. This can limit your ability to customize features, manage users, or adjust security settings.
- Licensing Issues: GoDaddy may bundle services differently, restricting your ability to pick and choose licenses that best fit your business needs.
- Lack of Flexibility: With GoDaddy managing your Microsoft 365 environment, you’re tied to their infrastructure and pricing models, which might not align with your business growth or flexibility needs.
Benefits of Defederating from GoDaddy 365
When you decide to defederate, you essentially separate your domain from GoDaddy’s managed environment. This gives you several advantages:
- Full Admin Rights: You gain complete control over your Microsoft 365 environment, including user management, configurations, and security settings. No more restrictions from GoDaddy.
- Better Integration with Security Tools: With direct access to Microsoft 365, you can better integrate security features like multi-factor authentication (MFA), advanced threat protection, and custom email filtering.
- Flexibility in Email Management and DNS: Defederating allows you to manage your email, DNS settings, and domain independently, enabling smoother transitions to other platforms (like Google Workspace) or more customized configurations.
By defederating, you're gaining the autonomy to tailor your environment, improve security, and unlock the full potential of Microsoft 365.
Pre-Defederation Checklist (Must-Do Steps)
Before you begin the defederation process, it’s crucial to complete a few essential tasks to ensure everything goes smoothly. Here’s your checklist to make sure you’re fully prepared:
Backup All Mailboxes, Contacts, and OneDrive Files
Start by backing up all critical data. This includes emails, contacts, and OneDrive files. Even though defederation shouldn’t result in data loss, it’s always safer to have backups in place to prevent any unexpected issues during the transition.
Export Distribution Lists, Aliases, and Shared Mailboxes
If you’re using distribution lists, email aliases, or shared mailboxes, make sure to export them. These settings won’t automatically migrate to your new Microsoft 365 setup or any other platform you choose, so it’s essential to have them saved and ready to import after defederation.
Communicate Migration Plan Internally
It’s important to keep your team informed. Notify your internal stakeholders about the upcoming migration. This ensures they understand the process, what to expect, and any potential disruptions to email or collaboration tools during the transition.
Schedule During Non-Peak Business Hours
Plan your defederation during a low-traffic period. Scheduling it outside of peak business hours minimizes the impact on your day-to-day operations, as email and other services may be temporarily unavailable during the process.
Ensure You Have Microsoft 365 Global Admin Credentials
You’ll need full administrative access to your Microsoft 365 tenant. Make sure you have the correct Global Admin credentials in hand. Without these, you won’t be able to perform the necessary steps to defederate successfully.
Confirm Access to Domain DNS Settings
Defederation often requires updates to your domain’s DNS settings. Confirm that you have access to your domain registrar’s control panel (GoDaddy or elsewhere) and ensure you can make necessary DNS changes. This is vital to ensuring your email and domain continue to function properly post-defederation.
Step-by-Step: How to Defederate a GoDaddy 365 Domain Using PowerShell
Now that you're prepared, let's walk through the steps to defederate your GoDaddy 365 domain using PowerShell. This is a crucial part of the process, so make sure to follow each step carefully.
Install & Use the Microsoft Graph PowerShell SDK (Not MSOnline)
First, you need to install the Microsoft Graph PowerShell SDK, which is the recommended module for interacting with Microsoft 365 services. Avoid using the older MSOnline module, as it's no longer supported for modern services.
To install the Microsoft Graph SDK, use the following command in PowerShell:
powershell
CopyEdit
Install-Module -Name Microsoft.Graph -Scope CurrentUser
Connect to Your Microsoft 365 Tenant
Once the SDK is installed, connect to your Microsoft 365 tenant. Use the command below to authenticate and establish a session:
powershell
CopyEdit
Connect-MgGraph -Scopes "User.ReadWrite.All", "Directory.ReadWrite.All"
You’ll be prompted to log in with your Microsoft 365 Global Admin credentials.
Run Updated PowerShell Commands to Convert Domain from 'Federated' to 'Managed'
With the connection established, the next step is to convert your domain from federated to managed. This involves running the following PowerShell command:
powershell
CopyEdit
Set-MsolDomainAuthentication -DomainName "yourdomain.com" -Authentication Managed
This command changes the authentication method for your domain from federated to managed. It’s important to note that this action may take some time to process across Microsoft 365 services.
Verify the Status of Domain After Conversion
Once the command has been executed, you need to verify that the domain has successfully been converted to a managed domain. Run the following PowerShell command to check the status:
powershell
CopyEdit
Get-MsolDomain -DomainName "yourdomain.com"
The output should show that the domain's authentication type is now Managed, confirming that the defederation process has been completed successfully.
DNS Configuration After Defederation
Once your domain is defederated, it’s time to update your DNS records to ensure email and other services work correctly with your new setup, whether it’s direct Microsoft 365 or Google Workspace. Here’s a walkthrough of the essential DNS changes you’ll need to make.
Walkthrough for Updating Your DNS (MX, SPF, DKIM, Autodiscover, etc.)
After defederating, you'll need to update various DNS records to make sure everything functions as expected. Below are the key records you’ll need to configure:
MX Records (Mail Exchange): These records direct incoming email traffic to the right mail server. For Microsoft 365, the MX record will typically look something like this:
makefile
CopyEdit
MX: <yourdomain>.mail.protection.outlook.com
For Google Workspace, it will look like:
makefile
CopyEdit
MX: ASPMX.L.GOOGLE.COM
SPF (Sender Policy Framework): SPF records help prevent email spoofing by verifying that outgoing email is sent from a trusted source. Here's an example of a Microsoft 365 SPF record:
ini
CopyEdit
v=spf1 include:spf.protection.outlook.com -all
For Google Workspace:
ini
CopyEdit
v=spf1 include:_spf.google.com ~all
- DKIM (DomainKeys Identified Mail): DKIM helps ensure that the email was not tampered with during transit. After defederation, you’ll need to configure DKIM records according to your new provider’s setup. Microsoft 365 and Google Workspace both provide DKIM record configurations in their respective admin dashboards.
Autodiscover (for Outlook): This record is essential for automatic configuration of Outlook clients. For Microsoft 365, you'll need to create an Autodiscover CNAME record like this:
makefile
CopyEdit
CNAME: autodiscover.<yourdomain>.com -> autodiscover.outlook.com
Common DNS Propagation Issues and How to Validate Records
DNS changes don’t happen instantly. They need time to propagate across the internet, which can take anywhere from a few minutes to 48 hours, depending on various factors like TTL (Time to Live) settings and your DNS provider’s update speed. Here’s what to look out for:
- Email Delivery Issues: If emails are bouncing or delayed, it could be due to improper MX record configuration or DNS propagation delay. You can check your MX records using a tool like MXToolbox to ensure they’re pointing to the right destination.
- SPF or DKIM Failures: If your emails are being flagged as spam, it could be because your SPF or DKIM records are not set up correctly. Use tools like MailTester to validate these records and ensure they're working properly.
- Autodiscover Failures: If Outlook is not connecting automatically, double-check your Autodiscover records. Again, use MXToolbox or similar DNS checking tools to ensure this is configured correctly.
Link to Microsoft 365 or Google Workspace DNS Guides
To ensure that you’re following the correct DNS setup for your new provider, here are some helpful links to the official guides:
- Microsoft 365 DNS Setup: Microsoft’s DNS Setup Guide
- Google Workspace DNS Setup: Google Workspace DNS Setup Guide
These guides will walk you through all the specific records needed for your new environment and help troubleshoot any issues that might arise.
Post-Defederation Tasks
Once you’ve successfully defederated your GoDaddy 365 domain, there are a few crucial tasks you need to complete to ensure everything is running smoothly. These steps help you ensure that your users, devices, and subscriptions are fully aligned with the new setup. Here’s a checklist of post-defederation tasks to help you get everything in order.
Reset All User Passwords (Users Will Need to Login Fresh)
When you defederate your domain, it's a good practice to reset user passwords. This ensures that each user can authenticate directly with Microsoft 365 or Google Workspace without any lingering authentication issues from GoDaddy’s management.
- Why reset passwords? Resetting passwords guarantees that all login credentials are fresh and tied to your new provider's authentication method. This eliminates the risk of users being unable to access their accounts due to federation-related complications.
You can reset user passwords via the Microsoft 365 admin center or Google Workspace admin console, depending on your provider.
Assign Correct Licenses (E3, Business Premium, etc.)
Once defederation is complete, ensure that all users have the correct Microsoft 365 or Google Workspace licenses assigned to their accounts. GoDaddy may have been managing these licenses under its own structure, so you’ll need to manually assign licenses after defederation.
- For Microsoft 365: Assign licenses like Business Premium, E3, or any other relevant plan based on the user’s role and requirements.
- For Google Workspace: Assign the appropriate Business or Enterprise plan based on your organization’s needs.
Make sure users are provisioned with the right features (email, storage, Teams, etc.).
Validate Mailbox Functionality and Email Flow
After defederating, test mailbox functionality thoroughly to ensure that everything is working as expected. Validate that users can send and receive emails without any issues.
- Check MX records to ensure email is routed correctly.
- Test email flow by sending and receiving messages both internally and externally.
- Confirm Shared Mailboxes are accessible to users, and any distribution lists are working properly.
Reconnect Devices and Apps (Outlook, Teams, Mobiles)
Now that the defederation is complete, users may need to reconnect their devices and apps (Outlook, Teams, mobile devices, etc.) to the new Microsoft 365 or Google Workspace setup.
- Outlook: Reconfigure Outlook profiles or reconnect accounts to ensure seamless email synchronization.
- Teams: If you’re using Microsoft Teams, users may need to sign in again to ensure access to chats, meetings, and files.
- Mobile Devices: Ensure mobile email accounts and apps are reconfigured with the new provider’s settings.
You may need to guide your users on reconfiguring these apps, especially if they were previously connected through GoDaddy’s federated environment.
Remove GoDaddy Delegated Admin Access
After defederating from GoDaddy, it’s crucial to remove any delegated admin access GoDaddy may have had to your Microsoft 365 or Google Workspace accounts.
- GoDaddy Admin Access: Log in to your admin portal (Microsoft or Google) and remove GoDaddy’s access to your account to maintain security and prevent unauthorized access.
This will also help ensure that no changes are made to your tenant or configuration from GoDaddy’s side moving forward.
Cancel or Downgrade GoDaddy Subscription If Not Needed
If you no longer need GoDaddy’s services (e.g., email, DNS management, or hosting), it’s time to cancel or downgrade your subscription.
- Cancel unnecessary services: If you're only using GoDaddy for email hosting, cancel those services to avoid paying for unused resources.
- Downgrade subscription: If you still require some GoDaddy services, but not at the full premium, consider downgrading your subscription to a more basic plan.
Take a moment to review all active services under your GoDaddy account and adjust accordingly.
Migrating to Google Workspace? Here’s What Changes
If you’re not just defederating from GoDaddy but also moving to Google Workspace, there are a few key changes to be aware of. This isn’t just a switch of providers—it’s a shift in how your email, user accounts, and overall collaboration environment are managed. Here's what you need to do (and expect) when making the jump.
Add Your Domain to Google Workspace
The first step is to verify and connect your domain with your new Google Workspace account.
- Log into the Google Admin Console
- Add your domain and follow the verification steps (typically by adding a TXT record to your DNS)
- Once verified, you can begin setting up users and services
This essentially tells Google: “Hey, I own this domain, and I want to use it for email and collaboration.”
Migrate Mail Using Google Workspace Migration Tool or a Third-Party Tool
You’ll want to bring over historical emails, calendar events, and contacts. Google provides a native tool called the Google Workspace Migration Tool (GWMME), which works well for most small to medium migrations.
Options include:
- Google Workspace Migration Tool: Works well with Microsoft 365 mailboxes.
- Third-party tools like BitTitan or Cloudiway: Offer more control and reporting for complex migrations.
Pick the right tool based on:
- Number of users
- Size of mailboxes
- Specific needs like PST imports, calendar sharing, etc.
Configure Google DNS Records (MX, SPF, DKIM, DMARC, etc.)
Once your domain is verified and users are set up, it’s time to point your DNS records to Google.
Here are the key ones:
- MX Records: Routes your domain's mail to Google servers
- SPF: Prevents spoofing by specifying allowed sending servers
- DKIM: Digitally signs your email to prevent tampering
- DMARC: Adds another layer of protection and reporting
You’ll update these settings in your DNS manager—whether that’s GoDaddy, Cloudflare, or another registrar.
Set Up Security Configurations (2FA, DLP, etc.)
Google Workspace gives you robust security tools, but you’ll need to enable and configure them:
- Two-Factor Authentication (2FA): Enforce it for all users via the Admin Console
- DLP (Data Loss Prevention): Set up policies to prevent sensitive info (e.g., credit card numbers) from being shared outside
- App Access Control: Limit what third-party apps can access your Google data
- Context-Aware Access: (if using Enterprise) Restrict access based on user location or device
Taking time to properly configure security features helps keep your new environment protected from day one.
Data Retention and Compliance Setup in Google Workspace
If you're in a regulated industry (finance, healthcare, legal, etc.), make sure you replicate or enhance your compliance setup.
- Use Google Vault (included in Business Plus and Enterprise plans) for email and chat archiving
- Set retention rules for emails, Drive files, and messages
- Create legal holds if required for eDiscovery
These features help ensure your new environment meets internal and external compliance standards.
By the end of this phase, you’ll not only have left GoDaddy’s managed Microsoft 365 behind, but you’ll also be fully up and running on Google Workspace—with full control, better security, and tools that scale with your business.
End-User Communication Strategy
Even the smoothest technical migration can hit speed bumps if your users aren’t properly informed. That’s why communication is just as critical as configuration. Let’s break down how to keep your team in the loop and minimize frustration.
Sample Email to Notify Users Before the Switch
You’ll want to send a clear, no-jargon email ahead of the migration. Here’s a simple template you can adapt:
Subject: Upcoming Email System Update – Here’s What You Need to Know
Hi Team,
We’re making an important update to our email system to improve performance, security, and flexibility. Here’s what you should know:
- The switch will happen on [Date/Time]
- You may need to log in again after the update
- Your emails, contacts, and calendar events will still be there
- If you experience any issues, contact [IT contact or Helpdesk]
We’ll keep you posted with updates. Thanks for your cooperation!
– IT Team
Helpdesk Cheat Sheet for Password Resets and Login Issues
Your support team will be on the front lines. Prepare a quick cheat sheet or internal FAQ for common issues, like:
- Where users should log in after defederation or migration
- How to reset passwords (via self-service portal or manual process)
- What apps or devices may need to be reconfigured (Outlook, phones, Teams, etc.)
- Known issues (e.g., mobile sync delays, cached credentials)
Having this ready cuts down on confusion and support time.
What Users Should Expect During the Transition
Set expectations clearly so users aren’t surprised by common changes:
- You’ll likely be logged out from Outlook and Teams
- You’ll need to re-enter your password or reconnect accounts
- Some downtime or delayed emails may occur briefly
- No data will be lost—everything will be accessible again shortly
This transparency builds trust and reduces panic.
Tips to Reduce Confusion and Downtime
Here’s what you can do to make the experience smoother:
- Stagger the migration by departments, if possible
- Use status pages or Slack channels to give real-time updates
- Record a short screencast showing how to log in post-migration
- Ensure IT support is on standby, especially during the first few hours after switching
The smoother the user experience, the faster your team gets back to work—and the more confident they’ll feel about the switch. A little proactive communication goes a long way.
Troubleshooting and Common Pitfalls
Even with careful planning, things can go sideways. This section covers the most common issues you might encounter during or after defederating from GoDaddy 365—and what to do if they happen.
PowerShell Access Issues
The Problem: You're trying to run defederation commands, but PowerShell isn't cooperating.
Fixes:
- Make sure you're using the Microsoft Graph PowerShell SDK, not older modules like MSOnline.
- Run PowerShell as Administrator.
- Confirm your account has Global Admin privileges.
Try installing/reinstalling the SDK:
powershell
CopyEdit
Install-Module Microsoft.Graph -Scope CurrentUser
Domain Still Shows as Federated
The Problem: After running the defederation script, the domain status still says “Federated.”
Fixes:
- Double-check the domain name in your command.
Use the verification script:
powershell
CopyEdit
Get-MgDomainFederationConfiguration -DomainName yourdomain.com
- Wait 15–30 minutes; changes may take time to reflect.
- In some cases, re-run the Set-MgDomainAuthenticationConfiguration command to force the change.
Delays in DNS Propagation
The Problem: You’ve updated DNS records, but mail flow is still disrupted.
Fixes:
- Propagation can take up to 48 hours, especially for MX and SPF.
- Use tools like MXToolbox or Google Admin Toolbox to verify DNS status.
- Re-check TTL values in your DNS provider settings—lower them pre-migration if possible.
Users Unable to Sign In Post-Defederation
The Problem: After the switch, users can't access email or apps.
Fixes:
- Reset user passwords after defederation; cached credentials won’t work.
- Make sure licenses are assigned properly.
- Ensure users are logging in with the correct UPN (UserPrincipalName) format.
- Confirm that no conditional access policies are interfering with logins.
Licensing Not Applying Correctly
The Problem: Some users aren’t getting the right Microsoft 365 apps or services.
Fixes:
- Reassign licenses manually from the Microsoft 365 admin center.
- Double-check that the licenses are available in your tenant post-GoDaddy.
- Use PowerShell to bulk-assign if managing many users.
Steps to Roll Back in Emergencies
Let’s say something major breaks—what can you do?
- Don’t panic. Your DNS and user data are still intact.
- If you haven’t deleted your GoDaddy tenant or canceled services yet, you can switch the DNS back to original GoDaddy-managed records temporarily.
- Re-federation is possible, though not ideal—it requires re-enabling federation settings via PowerShell (advanced users only).
- If needed, contact Microsoft 365 support—they can often assist with tenant-level issues faster than GoDaddy.
Security and Compliance Considerations
Defederating from GoDaddy 365 isn’t just about gaining control—it’s also a chance to tighten up your security and ensure compliance policies are truly working in your favor. Here's what to consider once you're operating directly under Microsoft 365 or after switching to Google Workspace.
Enhanced Security Control Post-Defederation
Once you’re no longer tied to GoDaddy’s managed environment, you regain full admin privileges. This means:
- You can enforce organization-wide security policies.
- You’re no longer reliant on GoDaddy’s limitations around certain admin settings.
- You gain direct access to advanced threat protection, conditional access, and other enterprise-grade features.
In short: you can now secure your environment the way it should’ve been from the start.
Re-enabling MFA and Conditional Access Policies
GoDaddy environments may restrict how MFA (Multi-Factor Authentication) is configured. Post-defederation, it’s crucial to:
- Ensure MFA is enabled for all users.
- Review and apply conditional access policies for logins, device compliance, and location-based controls.
- Set up baseline protections or advanced configurations through Microsoft Entra ID (formerly Azure AD).
Pro Tip: Start with reporting-only mode for conditional access policies before enforcing, so you don’t lock users out accidentally.
Audit Logging and Data Retention
Don’t assume audit logs and retention settings carry over cleanly post-defederation.
- Re-check Microsoft Purview (Compliance Center) to ensure audit logs are enabled.
- Confirm retention policies (especially for emails, Teams chats, and OneDrive).
- If moving to Google Workspace, configure Vault retention settings and Admin audit logs accordingly.
This is particularly critical for regulated industries—finance, healthcare, law, etc.
Compliance Implications When Leaving GoDaddy
GoDaddy’s 365 offering may have bundled compliance features—but they can be opaque and limited.
After defederating:
- You need to manually verify all compliance requirements are still being met.
- For Microsoft 365: Use tools like Microsoft Purview, Information Protection, and Data Loss Prevention (DLP).
- For Google Workspace: Explore Vault, context-aware access, and zero-trust features.
If you're working with a compliance team, now’s the time to loop them in and get their sign-off.
When You Should NOT Defederate
Defederating from GoDaddy 365 can be a smart move—but it's not the right decision for everyone. Before you jump into the process, take a moment to assess whether defederation truly aligns with your business needs. Here are a few cases where it might be better to pause or reconsider:
You're Dependent on GoDaddy-Specific Bundled Services
Some GoDaddy plans include bundled tools—like website hosting, marketing tools, or domain-based offers—that are tied into their Microsoft 365 service.
- If you're actively using those services and your workflow depends on them, breaking away might cause unexpected disruptions.
- In rare cases, features may be locked behind GoDaddy’s UI or account structure and unavailable once you're fully defederated.
If this sounds like your setup, make sure you have a plan to replace those features before pulling the plug.
You're Under a Long-Term Contract with Penalties
Double-check your GoDaddy billing and service agreements. Some businesses are on annual plans or bundles with early termination clauses.
- You might face fees for leaving early.
- Some licenses may not be transferable and would need to be re-purchased from Microsoft or Google.
It’s worth doing the math—sometimes waiting until renewal makes more financial sense.
You Don’t Have In-House IT Support or a Trusted MSP
Defederation isn’t rocket science—but it’s not a casual weekend project either. Without proper technical know-how:
- You risk misconfigured DNS or email flows.
- End users may lose access unexpectedly.
- Compliance gaps or security holes could pop up during the transition.
If you're not confident in your internal resources, consider partnering with a Managed Service Provider (MSP) who specializes in Microsoft 365 or Google Workspace migrations. It can save you time, frustration, and a lot of cleanup later.
Defederating from GoDaddy 365 gives you what every growing business needs—full control, stronger security, and the freedom to manage your email setup your way.
Whether you're switching to direct Microsoft 365, moving to Google Workspace, or simply looking to eliminate the limitations of GoDaddy's managed setup, you're making a smart move toward a more flexible and secure future.
Need a quick refresher on any step? Here are some trusted links to dive deeper:
- Microsoft: Convert a domain from federated to managed
- Google Workspace Admin Help: Set up email
And if you're looking for expert help—no scripts, no guesswork, no downtime—we’ve got you.