Home

Verified domain removal caused strange AD changes?

%3CLINGO-SUB%20id%3D%22lingo-sub-743499%22%20slang%3D%22en-US%22%3EVerified%20domain%20removal%20caused%20strange%20AD%20changes%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-743499%22%20slang%3D%22en-US%22%3E%3CP%3EI%20removed%20a%20verified%20domain%20from%20O365%20Admin%2C%20and%20several%20hours%20later%20some%20users%20couldn't%20log%20in%20to%20their%20O365%20accounts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETheir%20UserPrincipalName%20had%20been%20changed.%3C%2FP%3E%3CP%3Eeg%3A%20%22atester%40my-new-domain.com%22%3C%2FP%3E%3CP%3Eto%3C%2FP%3E%3CP%3E%22atester%40my-old-domain.com%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOR%3C%2FP%3E%3CP%3ETheir%20ProxyAddresses%20were%20changed%3A%3C%2FP%3E%3CP%3Eeg%3A%20%22SMTP%3Abtester%40my-new-domain.com%22%2C%20%22smtp%3Abtester%40my-oldest-domain.com%22%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3Bto%3C%2FP%3E%3CP%3E%22SMTP%3Abtester%40my-oldest-domain.com%22%2C%20%22smtp%3Abtester%40my-new-domain.com%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20of%20those%20affected%20were%20members%20%26amp%3B%2For%20had%20proxy%20emails%20with%20the%20removed%20domain%2C%20most%20were%20not.%20Not%20all%20users%20of%20the%20removed%20domain%20were%20affected%20either.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20looks%20like%20these%20changes%20were%20reverting%20to%20an%20older%20version%20of%20the%20property.%20I'm%20thinking%20that%20when%20I%20removed%20the%20domain%20from%20O365%2C%20the%20verified%20domain%20was%20unable%20to%20authenticate%20during%20Azure%20AD%20sync%2C%20telling%20our%20Server%202012%20that%20those%20domains%20should%20not%20exist.%20So%20AD%20reverted.%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20doesn't%20make%20sense%20is%20that%20most%20of%20the%20users%20were%20not%20associated%20with%20this%20domain%20at%20all.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%3F%20I%20ran%20an%20Azure%20AD%20audit%20log%20so%20I%20could%20see%20the%20users%20affected.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-743499%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Chrisjdahl
Visitor

I removed a verified domain from O365 Admin, and several hours later some users couldn't log in to their O365 accounts.

 

Their UserPrincipalName had been changed.

eg: "atester@my-new-domain.com"

to

"atester@my-old-domain.com"

 

OR

Their ProxyAddresses were changed:

eg: "SMTP:btester@my-new-domain.com", "smtp:btester@my-oldest-domain.com" 

 to

"SMTP:btester@my-oldest-domain.com", "smtp:btester@my-new-domain.com"

 

Some of those affected were members &/or had proxy emails with the removed domain, most were not. Not all users of the removed domain were affected either.

 

It looks like these changes were reverting to an older version of the property. I'm thinking that when I removed the domain from O365, the verified domain was unable to authenticate during Azure AD sync, telling our Server 2012 that those domains should not exist. So AD reverted. 

What doesn't make sense is that most of the users were not associated with this domain at all.

 

Any ideas? I ran an Azure AD audit log so I could see the users affected.

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
38 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies