Splitting sub and root domains

In a project for a customer I was doing a T2T migration but, since this was a fashion retailer with a lot of stores we needed to find a way to slowly move the computers in the stores. During the migration we will move the root domain exobe.com. But since all accounts including the ones that are used in the store are in subdomains they are dependant on the root domain.

The devices in the stores are Windows 11 and Entra ID joined only. So it complicates if we pull down the old tenant in one go. Reinstalling 400 devices in more or less 200 locations would even with a lot of staff generate downtime. We need to be able to split the domains between tenants.

We need to do two things here before removing the root domain from the tenant. Set the subdomains as Root and clear all references to the root domains on objects. Users, groups, apps etc etc.


In the tenant we had two subdomains stores-se.exobe.com and stores-cn.exobe.com. The regular users (office users) are assigned the root domain as UPN and primary SMTP address. It it those users we want to migrate.

Change the subdomains root status

We need to set the subdomains as root domains. This can only be done by using Graph. In this example I am using Graph explorer but of course this can be done by scripting and is recommended if there are a lot of domains.

Run this in Graph and get the status of the subdomain:


You will most likely get an output like this:

    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#domains/$entity",
    "@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET domains('<key>')?$select=authenticationType,availabilityStatus",
    "authenticationType": "Managed",
    "availabilityStatus": null,
    "id": "stores-se.exobe.com",
    "isAdminManaged": true,
    "isDefault": false,
    "isInitial": false,
    "isRoot": false,
    "isVerified": true,
    "supportedServices": [
    "passwordValidityPeriodInDays": null,
    "passwordNotificationWindowInDays": null,
    "state": null

Now we are running the POST command to change “isRoot” to true. You need the tenant ID for this:

POST https://graph.microsoft.com/v1.0/{tenant-id}/domains/stores-se.exobe.com/promote

Once it’s done you should see the respons:

    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Edm.Boolean",
    "value": true

Removing stuff

Remove all references to the root domain in this case exobe.com. That can be done either in Entra ID portal or the admin portal. I prefer the admin portal. There you can see if and what objects that still depend on the domain.

After that Delete the domain and you can start adding it in the target tenant!

Sort of side note….

Leave a Reply

Your email address will not be published. Required fields are marked *