Entra ID / Microsoft 365

Temp password generator and GoDaddy defederation runbook

Generate friendly temp passwords with ready Update-MgUser commands, then follow the command runbook to defederate a GoDaddy tenant.

1 Step 1Generate temp passwords

Header rows and extra columns are detected and skipped. Duplicate addresses are removed automatically. Any account containing "dsg" (such as dsgadmin or a dsg domain) is flagged for review.

Reusing an existing list? If your pasted list already includes generated passwords (for example a list this tool produced earlier), those passwords are kept and no new ones are created for those users. Only users without a password get a fresh one.
Generated credentials 0 accounts
Email addressTemp passwordPassword reset command
No accounts yet. Paste a list above and select Generate passwords.
Before you run these. Connect first with Connect-MgGraph -Scopes "User.ReadWrite.All". Resetting passwords for accounts that hold admin roles needs a higher privilege role such as Privileged Authentication Administrator. Passwords follow the format Capital word, two digits, exclamation point, which satisfies Entra complexity and the eight character minimum. Shared mailboxes without an interactive sign in usually should not get the change at next sign in flag.
2 Step 2GoDaddy defederation runbook

B Create your migration admin

Sign in to entra.microsoft.com using the current GoDaddy admin credentials. That account is limited and gets redirected, so create a fresh Global Admin you fully control and use it for the rest of this process, including PowerShell authentication.

  • At entra.microsoft.com, go to Microsoft Entra ID > Users > New user > Create new user.
  • Set the user principal name to migrationadmin@<tenant>.onmicrosoft.com. Use the onmicrosoft domain so the account is never caught up in federation.
  • Set a strong password you control and record it.
  • Assign the Global Administrator role: Entra ID > Roles and administrators > Global Administrator > Add assignment (or assign it during creation).
  • Sign out, then sign in as migrationadmin to confirm it works. This is the account you authenticate with in Phase C.

C Remove federation with GoDaddy

Confirm first. Every user needs their new password ready before this step. Once the domain flips to Managed, the old GoDaddy credentials stop working.

Sign in as the migrationadmin account from Phase B. Run PowerShell as administrator and run each line in order.

1 · Install the Graph directory module (skip if already installed)
Install-Module -Name Microsoft.Graph.Identity.DirectoryManagement
2 · Connect as migrationadmin
Connect-MgGraph -Scopes "Directory.Read.All","Domain.Read.All","Domain.ReadWrite.All","Directory.AccessAsUser.All"
3 · Confirm the domain currently reports Federated
Get-MgDomain
4 · Defederate: flip the domain to Managed
Update-MgDomain -DomainId "yourdomain.com" -Authentication Managed
5 · Re-check, it should now report Managed
Get-MgDomain
All domains must be Managed. Every domain in the tenant has to end up Managed for this to work, including any no longer in use. Run step 4 for each federated domain.

D Reset user passwords

Use the per-user reset commands from the list generated at the top of this page. The Copy all User Reset commands button hands you every Update-MgUser line ready to paste, or use the Copy button on a single row. Connect first, then run those lines.

Connect with password write scope
Connect-MgGraph -Scopes "User.ReadWrite.All"

Then paste the generated Update-MgUser lines. Review any rows flagged as DSG accounts before resetting them, since those are likely your own management accounts rather than client users.

E Add a provider and provision licensing

Once managed, attach a CSP using the partner's delegated admin invite link, or go direct to Microsoft at admin.microsoft.com > Billing > Purchase services. If you keep the same SKUs, just provision the same seat count, no reassignment needed. If you are changing SKUs (for example Business Standard to Business Premium), order the new licensing then bulk assign the new licenses and unassign the GoDaddy ones under Users > Active users.

Proofpoint warning. If the GoDaddy plan bundled email security, mail is routed through Proofpoint via the MX record. If you cancel without repointing MX to Microsoft, mail goes down. Update the MX in DNS to Microsoft (admin.cloud.microsoft/#/Domains shows the correct record) and remove any Proofpoint transport rule and outbound connector in the Exchange admin center.

F Remove GoDaddy access, in this order

Order matters. Remove GoDaddy's delegated admin and delete their admin user BEFORE cancelling. If you cancel first, GoDaddy can run a script that deletes all users and removes the primary domain. It is recoverable, but it means rework and downtime.
  • M365 admin center > Settings > Partner relationships > GoDaddy > Roles > remove their roles.
  • Delete GoDaddy's admin user from the tenant.
  • New as of Nov 2025: in entra.microsoft.com > Enterprise applications, clear the default filter, search for Partner Center Web App, open Properties and Delete it. GoDaddy can otherwise use this app to write to the tenant even after delegated admin is removed.

G Cancel in GoDaddy

Cancel the renewal in GoDaddy billing (account.godaddy.com/myrenewals). The subscription expires at end of term and the tenant stays put under your CSP or direct billing, with full admin functionality restored.

Phase 1 of 6