Splitting sub and root domains
In a project for a customer I was doing a T2T migration but, since this was a fashion retailer with a lot of stores we needed to find a way to slowly move the computers in the stores. During the migration we will move the root domain exobe.com. But since all accounts including the ones that are used in the store are in subdomains they are dependant on the root domain.
The devices in the stores are Windows 11 and Entra ID joined only. So it complicates if we pull down the old tenant in one go. Reinstalling 400 devices in more or less 200 locations would even with a lot of staff generate downtime. We need to be able to split the domains between tenants.
We need to do two things here before removing the root domain from the tenant. Set the subdomains as Root and clear all references to the root domains on objects. Users, groups, apps etc etc.
Preparations
In the tenant we had two subdomains stores-se.exobe.com and stores-cn.exobe.com. The regular users (office users) are assigned the root domain as UPN and primary SMTP address. It it those users we want to migrate.
Change the subdomains root status
We need to set the subdomains as root domains. This can only be done by using Graph. In this example I am using Graph explorer but of course this can be done by scripting and is recommended if there are a lot of domains.
Run this in Graph and get the status of the subdomain:
https://graph.microsoft.com/v1.0/domains/stores-se.exobe.comYou will most likely get an output like this:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#domains/$entity",
"@microsoft.graph.tips": "Use $select to choose only the properties your app needs, as this can lead to performance improvements. For example: GET domains('<key>')?$select=authenticationType,availabilityStatus",
"authenticationType": "Managed",
"availabilityStatus": null,
"id": "stores-se.exobe.com",
"isAdminManaged": true,
"isDefault": false,
"isInitial": false,
"isRoot": false,
"isVerified": true,
"supportedServices": [
"Email"
],
"passwordValidityPeriodInDays": null,
"passwordNotificationWindowInDays": null,
"state": null
}Now we are running the POST command to change “isRoot” to true. You need the tenant ID for this:
POST https://graph.microsoft.com/v1.0/{tenant-id}/domains/stores-se.exobe.com/promoteOnce it’s done you should see the respons:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#Edm.Boolean",
"value": true
}Removing stuff
Remove all references to the root domain in this case exobe.com. That can be done either in Entra ID portal or the admin portal. I prefer the admin portal. There you can see if and what objects that still depend on the domain.
After that Delete the domain and you can start adding it in the target tenant!
Sort of side note….
- This is not a supported way. But it has worked multiple times for me.
You cannot remove a domain that has subdomains – Microsoft 365 | Microsoft Learn - You need high permisisons in graph: Domain.ReadWrite.All
Remember to cleanup - This is done on managed domains, not federated.
- Remember to do it on all subdomains of the root you want to move.