✅ Recommended Method: Create a Mail Flow Rule (Transport Rule)

This method allows you to define specific conditions under which emails from certain domains bypass spam filtering.​CloudInfra

Steps:

1. Access the Exchange Admin Center:​CloudInfra+5Alitajran+5Microsoft Answers+5
   • Navigate to Exchange Admin Center.​
2. Create a New Rule:​LazyAdmin+8Microsoft Answers+8kjctech.net+8
   • Go to Mail flow > Rules.​Microsoft Answers+11Microsoft Answers+11Alitajran+11
   • Click on Add a rule > Create a new rule.​CloudInfra+6Alitajran+6Microsoft Learn+6
3. Define Rule Conditions:​
   • Name: Assign a descriptive name to the rule.​Microsoft Answers+5Microsoft Learn+5kjctech.net+5
   • Apply this rule if:
     • Select The sender > domain is > enter the domain you wish to allow.
     • Optionally, add conditions to enhance security, such as verifying that the sender passes SPF, DKIM, or DMARC checks.
4. Set Actions:​Alitajran+2Microsoft Learn+2Microsoft Learn+2
   • Do the following:
     • Select Modify the message properties > set the spam confidence level (SCL) > choose Bypass spam filtering.
     • Optionally, add a custom header for tracking purposes.
5. Finalize the Rule:​Microsoft Answers+1Microsoft Answers+1
   • Review the settings.​
   • Set the rule to Enforce.​Microsoft Answers+2LazyAdmin+2CloudInfra+2
   • Click Finish to activate the rule.​Microsoft Learn+4CloudInfra+4LazyAdmin+4

This approach is preferred as it allows for granular control and can incorporate additional security checks to ensure the legitimacy of the sender. ​Active Directory Pro

---

⚠️ Alternative Method: Use the Tenant Allow/Block List

This method involves adding domains to the Tenant Allow/Block List to permit emails from those domains.​CloudInfra+2Microsoft Learn+2Microsoft Learn+2

Steps:

1. Access the Microsoft 365 Defender Portal:​Microsoft Answers+4CloudInfra+4Alitajran+4
   • Navigate to Microsoft 365 Defender.​Microsoft Learn
2. Navigate to Tenant Allow/Block Lists:​Alitajran+4Microsoft Learn+4CloudInfra+4
   • Go to Email & collaboration > Policies & rules > Threat policies > Tenant Allow/Block Lists.​LazyAdmin+4CloudInfra+4Alitajran+4
3. Add Domains to Allow List:​Active Directory Pro+5Alitajran+5LazyAdmin+5
   • Under the Domains & addresses tab, click Add > Allow.​Microsoft Learn+1Microsoft Learn+1
   • Enter the domains you wish to allow.​Microsoft Learn+3Alitajran+3LazyAdmin+3
   • Set the duration for which the allow entry should remain active.​Microsoft Learn
   • Click Add to confirm.​

Note: This method should be used cautiously, as it may bypass certain security checks, potentially allowing malicious emails if the allowed domain is compromised. ​CloudInfra

---

⚠️ Less Recommended Method: Modify Anti-Spam Policies

Adjusting anti-spam policies to allow specific domains is generally not advised, as it can bypass multiple layers of security.​

Steps:

1. Access the Microsoft 365 Defender Portal:​
   • Navigate to Microsoft 365 Defender.​
2. Navigate to Anti-Spam Policies:​
   • Go to Email & collaboration > Policies & rules > Threat policies > Anti-spam.​
3. Edit Inbound Policy:​Alitajran+3Microsoft Learn+3LazyAdmin+3
   • Select the Anti-spam inbound policy (Default).​Microsoft Answers+4CloudInfra+4Alitajran+4
   • Scroll down to Allowed and blocked senders and domains.​Microsoft Learn+4Alitajran+4CloudInfra+4
   • Click Edit allowed and blocked senders and domains.​Alitajran+2CloudInfra+2LazyAdmin+2
   • Under Allowed domains, add the domains you wish to permit.​
   • Click Save to apply changes.​

Caution: This method is less secure and should be used only when necessary, as it may allow spoofed emails to bypass spam filters. ​LazyAdmin

---

Summary:

• Best Practice: Use Mail Flow Rules for precise control and enhanced security.​Active Directory Pro+7LazyAdmin+7Microsoft Learn+7
• Alternative: Employ the Tenant Allow/Block List for temporary allowances.​Microsoft Learn+3CloudInfra+3Microsoft Learn+3
• Least Recommended: Modify Anti-Spam Policies only when other methods are unsuitable.​

Implementing these methods carefully will help ensure that legitimate emails from trusted domains are delivered without being marked as spam.

From: https://docs.tminus365.com/configurations/godaddy/defederating-godaddy-365

Defederating GoDaddy 365

Last Updated: 7/2/2023 I updated this doc to include the new MSGraph cmdlets as MSOnline is being deprecated.

Unable to insert the picture
Migrate from Azure AD PowerShell to Microsoft Graph PowerShell.MicrosoftLearn
SUMMARY AND BACKGROUND

Customers can purchase a Microsoft 365 subscription direct with GoDaddy along with their primary domain. When this occurs, GoDaddy federates this domain and tenant, making it unable to transfer under the CSP program or Direct to Microsoft. Moving and defederating this account has been a major pain point and area of confusion which this blog post addresses.

In the solutions proposed in this guide you can perform the following:

Defederate the tenant without migrating

Never have to call GoDaddy

Keep user accounts vs deleting them

Have no downtime

High level-steps:

A. Prepare your End Users

B. Become a Tenant Admin in GoDaddy

C. Remove Federation with GoDaddy

D. Reset Users Passwords

E. Add a CSP Provider or Move Direct to Microsoft

F. Provision Licensing into the Account

G. Remove GoDaddy as Delegated Admin

H. Cancel GoDaddy Subscription

Prepare Your End Users

Defederating requires users to reset their passwords in order to be able to login to their account. You will need to have a password list to distribute to them or have them provide you passwords beforehand. You could just reset them all to a temporary password after federation and then they can change to whatever they want after.

Define a date and time in which you will be defederating. I recommend during non-business hours even though there is no downtime in mail flow with this solution. Provide end users with this information.

Since users may run into activation prompts within their office apps and outlook during the license transition, provide them documentation for how to sign back in after the license switch has taken place. For office apps they can simply go to File>Account>Sign Out>Sign In.

In outlook, users will be prompted to re-enter their new password after its changed:

Become a Tenant Admin in GoDaddy

When a user sets up a 365 account directly with GoDaddy, they set up the initial user as an “admin” user but this user is redirected to the GoDaddy portal when trying to access the admin tab when going to Office.com. For this reason, we need to gain access to the true Global Admin so that we can perform the necessary powershell scripts to defederate the tenant.

Login to Portal.Azure.com with the admin user that was set up when the account was first created and click on the 3 lines in the top left corner

Click on Azure Active Directory. Then click on Users when the new tabs open up

Here you should see a user label with admin@.onmicrosoft.com Ex:

Click on this user and reset their password. If you already have access to this user, you can disregard this step.

Once you have copied the temporary password, place it in a notepad and open an incognito window in the browser. In the browser, go to office.com and sign in with that username and temporary password. Establish a new password. With this completed, you now have a user that can run the necessary powershell commands in the future steps.

Remove Federation with GoDaddy

Be Aware Before you perform this step you want to make sure all users have the passwords you will be resetting as they will not be able to login without that new password.

We can use the following PowerShell cmdlets to defederate the tenant. Note that you need to run PowerShell as administrator.

CopyWrite-Host “Checking for MSGraph module…”

$Module = Get-Module -Name “Microsoft.Graph.Identity.DirectoryManagement” -ListAvailable

if ($Module -eq $null) {

    Write-Host "MSGraph module not found, installing MSGraph" 
    Install-Module -name Microsoft.Graph.Identity.DirectoryManagement 

} 

Connect-MgGraph -Scopes “Directory.Read.All”,”Domain.Read.All”,”Domain.ReadWrite.All”,”Directory.AccessAsUser.All”

Enter the Admin credentials from “Become a tenant Admin in GoDaddy”

Get-MgDomain

See that the domain is “federated”#

Update-MgDomain -DomainId “” -Authentication Managed

An example of a DomainId is “tminus365.com”. This would be the domain that was listed as federated that you want to covert to managed. After this is complete you will get a new commandline. You can run Get-MgDomain again and see that your domain is now “managed”.

Please Note ALL domains in the tenant need to be in a managed state for this to work correctly even if one is no longer in use.

Supporting CMDLET docs:

Get Started: Get started with the Microsoft Graph PowerShell SDK | Microsoft Learn

Get Domain: Get-MgDomain (Microsoft.Graph.Identity.DirectoryManagement) | Microsoft Learn

Update Domain: Update-MgDomain (Microsoft.Graph.Identity.DirectoryManagement) | Microsoft Learn

Reset Users Password

You can do this manually one user at a time if there aren’t many users in the account or you could use a powershell script to bulk update everyone passwords form a CSV file. If you plan to do them manually, then you can simply login to office.com as the admin we derived from section B and now that the tenant is defederated, you will be able to click into the admin tile and access the Users section like you are familiar with. Otherwise, you can connect to Powershell as administrator and run the powershell script below:

Copy##########Connect to MsGraph##########

CopyWrite-Host “Checking for MSGraph module…”

$Module = Get-Module -Name “Microsoft.Graph.Users.Actionst” -ListAvailable

if ($Module -eq $null) {

    Write-Host "MSGraph module not found, installing MSGraph" 
    Install-Module -name Microsoft.Graph.Users.Actions 

} 

Connect-MgGraph

Enter the Admin credentials from “Become a tenant Admin in GoDaddy”

####### Define CSV path of Users and Group ##################

$UserPath = Read-Host -Prompt “Enter File Path For CSV list of users”

Create CSV template with headers of Userprincipalname and Password#######

Import-Csv -Path $UserPath |%{Update-MgUserPassword -UserId $_.UserPrincipalName –NewPassword $_.Password}

Add a new Provider and Provision Licensing

Now that the tenant is defederated, you can add a CSP provider with their delegated admin link or go direct to Microsoft.

For CSP:

Paste the appropriate link in a browser and sign into the tenant with the Global Admin credentials if you are not already logged in. Accept the relationship. After the acceptance, reload the page and you will see a new CSP listed.

Order licensing for this customer. If you are not changing the subscription, then all you would need to do is provision the same amount of seats as you have today, remove them as delegated admin, and cancel with GoDaddy. There is no other action that would be required. License ownership would transfer and there will be no downtime for users.

If you are changing the subscriptions that are assigned to users (i.e. you are moving them from Business Standard to Business Premium as an example) you will need to perform the following steps:

Order the licensing from CSP

See the licensing provisioned in the 365 Tenant for this customer under Billing>Your Products

Go to Users>Active Users and bulk assign the new licensing from CSP and unassign the licensing from GoDadddy.

Remove GoDaddy as Delegated admin

Cancel the GoDaddy subscription in the GoDaddy admin portal.

For Microsoft Direct:

In the Microsoft Admin Portal, go to Billing>Purchase Services

Purchase the licensing you want to have for your users

Follow the same steps as CSP to Assign licenses to users if you have changed their subscription type. (i.e. Moving from Business Standard to Business Premium).

Remove GoDaddy as Delegated Admin and Cancel Subscription

Warning! If you do not follow the steps to remove GoDaddy as a delegated admin before you cancel with them, they will run a script to delete all users in the account and remove the primary domain. You need to ensure you remove them as delegated admin after the move and ensure that their admin user is deleted in the account BEFORE cancelling the subscription. This action is recoverable, but it causes you to have to perform more work and it does involve downtime. If you would like to never have any concerns of this issue with additional safeguards, you should look at a solution that migrates to a new tenant in addition to defederation.

In the 365 Admin Portal

Under Settings>Partner Relationships>Click on GoDaddy and remove their roles:

In GoDaddy, cancel the renewal:

Conclusion

From here, the subscription from GoDaddy will expire at end of term and that is all. You now have a tenant under CSP with all of the typical management functionality you are familiar with. Hope this provided some targeted guidance on defederating a GoDaddy tenant! Please share with the community!

How to send as an alias or shared mailbox in outlook.com

Before being able to send as, two settings must be changed on the admin portal:

To enable Send as Alias in the Microsoft 365 Admin Portal, follow these two steps:

Step 1: Enable “Send from Alias” in Exchange Online

1. Go to Microsoft 365 Admin Center.
2. Navigate to Settings → Org Settings.
3. Click on Email.
4. Look for “Send email from alias”, check the box, and click Save.

---

Step 2: Assign “Send As” Permission for the Alias

1. In the Exchange Admin Center (https://admin.exchange.microsoft.com):
   • Go to Recipients → Mailboxes.
   • Select the mailbox where you want to send as an alias.
   • Click Mailbox Delegation (left panel).
   • Under Send As, click Add and select the user.
   • Click Save.

✅ Now, users can send emails using the alias in Outlook or OWA. It may take some time for changes to take effect.

Once that is done (sometimes as much as 10-15 minutes to wait for the delegation to take effect), then you can show the user how to send as that email:

If you need to send emails that do not require a response, you can set up a no-reply email account. Follow these steps to configure and use a no-reply email address:

1. Ensure you are using Outlook.com for sending emails.
2. Go to Settings.
3. Select Mail.
4. Click on Compose and reply.
5. Check the box that says Always show from.

To send an email from the no-reply address:

1. On the compose mail page, look for the From field above the To field.
2. Type in the no-reply email address (e.g., no-reply@Canyonview.us) in the From field.
3. Compose your email and send it.

Note: If recipients reply to the no-reply email, you will not see their responses, and neither will anyone else. Once you have sent an email from the no-reply account, you can easily select it in the From field for future emails without needing to type it in again.

For further assistance or training, consider scheduling a session with your IT team.How to send as an alias or shared mailbox in outlook.com

Managing MS365 Email Storage Limits

Microsoft 365 email accounts typically have a default storage limit of 50 GB. Exceeding this limit can cause issues such as being unable to send or receive emails. Here are two solutions you can consider:

1. Upgrade the License: You can increase the storage capacity by purchasing a higher-tier license for the user. This will provide up to 100 GB of storage, which is the maximum available for MS365 mailboxes.
2. Archive Old Emails: Instead of deleting individual emails, which may not free up enough space due to the large amount, consider creating an archive of emails that are older than a certain date. This process will free up significant space in the mailbox.

Please note that these actions may require assistance from your IT support team to ensure they are carried out correctly.