GoDaddy defederation is the process of converting your Microsoft 365 domain from “Federated” (controlled by GoDaddy) to “Managed” (controlled directly by you and Microsoft), giving you full administrative access without necessarily moving any mailbox data. It’s the technical mechanism behind most “move away from GoDaddy” requests, and when done correctly, your email, files, and calendar data are untouched — only who manages the tenant changes. Here’s exactly what it involves, the risks nobody mentions upfront, and how to avoid the mistake that causes the most damage.

What Is Federation, and Why Does GoDaddy Use It?
Definition: Federation is an authentication arrangement where sign-in for your domain is handled by a third party — in this case, GoDaddy — instead of directly by Microsoft. When you buy a Microsoft 365 subscription bundled with your domain through GoDaddy, GoDaddy federates that domain and tenant, which is what makes it unable to transfer under the CSP program or move direct to Microsoft without first breaking that connection.
In plain terms: your mailboxes and tenant technically live in Microsoft’s cloud, but sign-in, support, and admin access are routed through GoDaddy. Defederation breaks that routing so you sign in, get support, and manage settings directly with Microsoft (or a new partner) instead.
How to Tell If Your Tenant Is Federated
You can check in two ways:
- Admin Center check: Go to the Microsoft 365 Admin Center → Settings → Domains, select your domain, and look at the authentication method. If it says “Managed by GoDaddy” or shows Federated, you’re still connected.
- PowerShell check: Using Microsoft Graph PowerShell or the legacy MSOnline module, an admin can query domain authentication status — if it returns Federated for your custom domain, defederation is required before any migration tool can connect.
A simpler giveaway: if your admin sign-in URL redirects through sso.godaddy.com or through godaddy.com before reaching Microsoft, your domain is federated.
Why Defederation Matters Even If You’re Not Migrating Anywhere
A common misconception is that defederation is only needed if you’re switching to a brand-new platform. In reality, it matters for three separate reasons:
- Migration tools require it. Third-party migration platforms attempt to authenticate using Microsoft’s standard OAuth endpoint — but a federated domain redirects to GoDaddy’s SSO instead, which doesn’t complete the handshake. Native Microsoft migration wizards fail for the same reason: they can’t verify admin access to source mailboxes through the federation layer.
- Security control is limited. While federated, GoDaddy holds delegated admin access and sits between you and Microsoft on policy decisions — limiting your ability to fully enforce Conditional Access, security defaults, and licensing changes.
- Support is indirect. Issues get routed back to GoDaddy first, even for problems that are purely Microsoft-side, which slows resolution.
Defederation vs. Full Migration: Which Do You Need?
| Factor | Defederation Only | Full Tenant Migration |
|---|---|---|
| Data moved | None — same tenant, same mailboxes | Everything — new tenant, new mailboxes |
| Use case | You want to keep your current tenant but control it directly | You want a clean start or defederation isn’t offered |
| Technical complexity | Moderate — password resets, DNS, admin handoff | Higher — full mailbox/calendar/file transfer |
| Risk profile | Low if delegated admin is removed correctly | Low if staged and backed up properly |
| Typical timeframe | 60–90 minutes of active work, plus 24–48 hrs DNS propagation | Days to weeks depending on size |
If your goal is simply “I want to control my own tenant and stop dealing with GoDaddy,” defederation is almost always the right call — it’s faster, cheaper, and doesn’t touch your data at all.
How the Defederation Process Works: Step-by-Step
Important: Microsoft’s own documentation states that Microsoft and GoDaddy do not support unauthorized non-Microsoft sites or steps for completing defederation, and recommends following GoDaddy’s official guidance or contacting support directly if you run into trouble. The phases below describe what the process involves at a high level so you know what to expect — for the actual execution, use GoDaddy’s official “move away” workflow, your Microsoft 365 Admin Center Help & Support assistant, or a qualified IT professional rather than improvising with unofficial scripts.
Phase A: Prepare Your Users
- Notify every user in advance — defederation forces a password reset for the entire organization
- Schedule the change during non-business hours to minimize disruption
- Collect or pre-stage new passwords where possible
- Confirm whether GoDaddy provides any bundled email security filtering (commonly Proofpoint) tied to your MX records, since this affects a later step
Phase B: Confirm Admin Access
- Verify you (or your IT partner) have Global Admin rights on the tenant
- Confirm access to the admin account GoDaddy originally provisioned
Phase C: Convert the Domain from Federated to Managed
This is the core technical action — changing the domain’s authentication type so Microsoft, not GoDaddy, governs sign-in. This step should only be performed by someone comfortable with Microsoft’s official tools and documentation, since getting it wrong can affect sign-in across SharePoint, Outlook, and Teams simultaneously.
Phase D: Reset User Passwords
Every user must reset their password once the domain is converted to Managed — there’s no way around this step, since federated sign-in is being replaced entirely.
Phase E: Add Licensing
Once defederated, you have two licensing paths:
- Go direct to Microsoft and purchase the same subscription tier yourself
- Partner with a CSP (Cloud Solution Provider) or MSP, who becomes your delegated admin and provisions licensing on your behalf
Either way, if you’re keeping the same subscription level, you generally just need to provision the same number of seats you have today.
Phase F: Update DNS and Email Security Settings
- Locate the correct MX record in the Microsoft 365 Admin Center under Domains
- Update your DNS host (often GoDaddy itself, even post-defederation, if you keep domain registration there) with the new MX record
- Update SPF, DKIM, DMARC, and Autodiscover records to point to the new configuration
- If GoDaddy’s plan included Proofpoint-based email security, additional configuration is required — don’t assume this carries over automatically
- Allow 24–48 hours for DNS propagation, and monitor mail flow closely during this window
Phase G: Remove GoDaddy as Delegated Admin
This step is the most commonly mishandled part of the entire process — see the warning below before proceeding.
Phase H: Cancel the GoDaddy Subscription
Only after delegated admin access and any GoDaddy enterprise applications have been fully removed.
The #1 Mistake That Causes Data Loss and Downtime
Critical Safety Warning: If you cancel your GoDaddy subscription before removing GoDaddy as delegated admin, GoDaddy’s systems may run an automated offboarding script that deletes users in the account and removes the primary domain. This is generally recoverable, but it creates significant extra work and real downtime that a correctly sequenced process avoids entirely.
The sequence that protects you:
- Defederate the domain
- Reset passwords
- Add new licensing (direct or via CSP)
- Remove GoDaddy as delegated admin and delete GoDaddy’s admin user from the account
- Only then cancel the GoDaddy subscription
Skipping straight from step 3 to step 5 — a very easy mistake under time pressure — is the single most damaging error in this entire process.
Special Cases That Complicate Defederation
Real-world environments aren’t always simple, and these scenarios deserve extra caution:
- Multiple domains. If your tenant has more than one domain set up through GoDaddy, each one must be defederated individually — converting one doesn’t automatically affect the others.
- Hybrid Active Directory environments. If you’re syncing on-premises AD with Microsoft 365 using Entra Connect (formerly Azure AD Connect), your authentication flow is already customized. Defederating without planning around this can cause login or sync failures. Document your hybrid setup and test in a non-production window if at all possible.
- GoDaddy Workspace Email (not Microsoft 365). If you purchased GoDaddy’s legacy hosted email product rather than a Microsoft 365 reseller plan, federation doesn’t apply to you at all — that’s a standard IMAP migration, not a defederation.
- NETORGFT domains. Some newer GoDaddy-issued tenants federate the default onmicrosoft.com-style domain as well as the custom domain, which can complicate admin sign-in during the process and may require creating a separate admin account first.
Common Mistakes to Avoid
- Cancelling GoDaddy before removing delegated admin access — covered above, and worth repeating because it’s the most frequent cause of real damage
- Forgetting bundled email security — assuming Proofpoint or similar filtering will “just keep working” after MX records change
- Not warning users about the mandatory password reset — without notice, you’ll get a wave of “I can’t log in” tickets the next business day
- Treating all domains as defederated after handling just one — each federated domain needs its own conversion
- Ignoring hybrid AD sync implications — this surprises more organizations than almost any other step
- Using unauthorized third-party scripts found online — per Microsoft’s own guidance, stick to official GoDaddy documentation, Microsoft support channels, or a qualified professional
Costs to Expect
Defederation itself doesn’t require purchasing new migration tools since no data moves — but budget for these realistic costs:
| Item | Typical Cost |
|---|---|
| Defederation labor (DIY, internal IT time) | A few hours of admin time |
| Defederation labor (professional/MSP-assisted) | $300 – $1,500 for small-to-mid orgs |
| New Microsoft 365 licensing (direct or CSP) | Varies by plan; often comparable to or lower than GoDaddy’s bundled pricing |
| Email security reconfiguration (if Proofpoint or similar was bundled) | Varies — may require new licensing for equivalent protection |
| Downtime/remediation cost if delegated admin removal is skipped | Significant — full re-provisioning and password resets, plus lost productivity |
The clearest cost lesson here: getting the sequence right costs little; getting it wrong costs a lot.
Prevention Tips and Post-Defederation Maintenance
Once you’re fully defederated and in control of your own tenant:
- Enable MFA and Conditional Access immediately — this is usually the entire point of leaving GoDaddy’s managed environment, so don’t delay it
- Audit and remove any leftover GoDaddy enterprise applications from your Entra/Azure AD app registrations
- Re-verify your DNS records (MX, SPF, DKIM, DMARC) a week after cutover, not just on day one
- Document your new tenant configuration — admin contacts, licensing source, and support escalation path
- Set a recurring reminder to review licensing every 6–12 months, since direct or CSP pricing flexibility is one of the main benefits you just gained
- Confirm email security parity — if you lost Proofpoint-style filtering, make sure Microsoft Defender for Office 365 or another solution is properly configured
When to Call a Professional
Strongly consider professional help if any of these apply:
- You rely heavily on GoDaddy-bundled services (hosting, website builder, marketing tools) tied to the same Microsoft 365 subscription, and don’t yet have a replacement plan
- You’re mid-contract with GoDaddy and unsure about early termination implications
- You have no in-house IT support or MSP partner — defederation requires technical precision, and an error in DNS or the federation conversion itself can cause real outages
- Your environment includes hybrid Active Directory / Entra Connect sync
- Your tenant has multiple domains that all need individual defederation
- You’re not fully confident about the correct order of operations for removing delegated admin before cancellation
Given that the most damaging mistake in this entire process is sequencing-related, not technical-skill-related, even experienced admins benefit from a second set of eyes before pulling the trigger on cancellation.
Why Choose IT Support Bee for Your GoDaddy Defederation
This is exactly the kind of project where a wrong step order causes outsized damage relative to a fairly short, simple-looking task list. Here’s how we approach it:
We Sequence It Correctly, Every Time The single biggest risk in defederation is cancelling GoDaddy before removing delegated admin access. We treat that order as non-negotiable and verify it before any cancellation request goes out.
We Audit Bundled Services First Email security (Proofpoint), hosting, and marketing tools tied to your GoDaddy Microsoft 365 plan get identified and addressed before defederation begins — not discovered afterward.
We Handle Hybrid and Multi-Domain Complexity If you’re running Entra Connect sync or have multiple federated domains, we plan around it instead of treating your environment as a simple template case.
We Follow Official Guidance Per Microsoft’s own recommendation, we rely on official GoDaddy and Microsoft processes and support channels rather than improvised third-party scripts.
Minimal Disruption, Clear Communication We schedule the password-reset wave for off-hours and give your team clear instructions in advance, so you don’t get hit with a flood of login tickets the next morning.
Internal Linking Suggestions
- “GoDaddy to Microsoft 365 migration services” → IT Support Bee Services
- “Microsoft 365 tenant management” → IT Support Bee Services
- “GoDaddy 365 to Microsoft 365 migration guide” → (related blog post)
- “managed IT services” → IT Support Bee Services
- “email security and Conditional Access setup” → IT Support Bee Services
- “system administration and tenant support” → IT Support Bee Services
Ready to Take Full Control of Your Microsoft 365 Tenant?
Defederating from GoDaddy is a short project with a long list of small details that matter — and getting even one out of order can mean real downtime. IT Support Bee will assess your current GoDaddy setup, flag every bundled service that needs handling, and walk the defederation through in the correct sequence from start to finish.
Get a free assessment of your GoDaddy tenant and a clear defederation plan.
👉 Explore Our IT Services and Get Started →
Frequently Asked Questions
Q1: What does “defederating” a Microsoft 365 tenant from GoDaddy actually mean? It means converting your domain’s authentication setting from “Federated” (controlled by GoDaddy) to “Managed” (controlled directly by you and Microsoft), without necessarily moving any data.
Q2: Will I lose my email, files, or calendar data during defederation? No — defederation changes who manages sign-in and administration, not where your data lives, so your mailboxes, files, and calendars remain intact.
Q3: Do all users need to reset their passwords? Yes — converting from federated to managed authentication requires every user in the tenant to reset their password before they can sign back in.
Q4: What happens if I cancel my GoDaddy subscription too early? If delegated admin access isn’t removed first, GoDaddy’s systems may run an automated process that deletes users and removes your primary domain, creating real downtime and extra recovery work.
Q5: How long does the defederation process take? The active technical work typically takes 60–90 minutes, with an additional 24–48 hours required for DNS propagation to fully complete.
Q6: Can I do defederation myself, or do I need a professional? Technically capable admins can attempt it using official Microsoft and GoDaddy guidance, but the step ordering is unforgiving enough that many businesses choose to bring in a professional to avoid costly sequencing mistakes.
Q7: Is defederation the same as migrating to a new Microsoft 365 tenant? No — defederation keeps your existing tenant and data in place while changing who manages it, whereas a full migration moves everything into a brand-new tenant.