When attempting to prove ownership of a domain administrators sometimes encounter a scenario where the domain is associated with another tenant. It is possible that the domain is associated with an unmanaged (viral) tenant within Microsoft 365.
We provide documentation to administrators on how to convert the unmanaged tenant to managed and then remove the domain. https://learn.microsoft.com/en-us/entra/identity/users/domains-admin-takeover
The external takeover method relies on Microsoft Graph to complete the process. Unfortunately, the instructions currently contained in our published guidance no longer work. In this post I want to provide updated guidance on how to utilize graph to perform the external takeover method.
In order to preform an external takeover the account or graph application that you are using must have the appropriate rights for domain management. Information on domain verify can the permissions supported may be found here: https://learn.microsoft.com/en-us/graph/api/domain-verify?view=graph-rest-1.0&tabs=http. In this instance Domain.ReadWrite.All are the only permissions supported. Please note that consent may be required in order to add these permissions.
Prior to performing the external admin takeover, the domain will need to be added to the tenant and the appropriate DNS records for validation in place.
To perform the process of the external takeover we will:
- Connect to Microsoft Graph and specify the minimum permissions required.
- Create a URL to call domain verify.
- Create body parameters to include with the domain verify post that force takeover is specified.
- Invoke the graph method and capture the results.
The code is as follows:
Connect-MGGraph -scopes "Domain.ReadWrite.All"
$domainID = "domainToTakeOver.com"
$uri = "https://graph.microsoft.com/v1.0/domains/$domainID/verify"
$body = @ { forceTakeover = $true } | ConverTo-JSON
$response = Invoke-MGGraphRequest -Method POST -uri $uri -Body $body
$response | ConvertTo-JSON
$response
The response should contain a success or failure message.
Hi firstly thank you for the information, i have been trying this without success – specifically the forceTakeover parameter is failing.
Has anyone else had any success with this forceTakeover process since the ceasing of MSOL – Confirm-MsolDomain
Thank you
LikeLike
Andrew:
Use the script with the beta endpoint. There have been issues with the 1.0 endpoint.
This is why the post says try both if the first fails.
Tim
LikeLike