Verified domain removal caused strange AD changes?

%3CLINGO-SUB%20id%3D%22lingo-sub-743499%22%20slang%3D%22en-US%22%3EVerified%20domain%20removal%20caused%20strange%20AD%20changes%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-743499%22%20slang%3D%22en-US%22%3E%3CP%3EI%20removed%20a%20verified%20domain%20from%20O365%20Admin%2C%20and%20several%20hours%20later%20some%20users%20couldn't%20log%20in%20to%20their%20O365%20accounts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETheir%20UserPrincipalName%20had%20been%20changed.%3C%2FP%3E%3CP%3Eeg%3A%20%22atester%40my-new-domain.com%22%3C%2FP%3E%3CP%3Eto%3C%2FP%3E%3CP%3E%22atester%40my-old-domain.com%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOR%3C%2FP%3E%3CP%3ETheir%20ProxyAddresses%20were%20changed%3A%3C%2FP%3E%3CP%3Eeg%3A%20%22SMTP%3Abtester%40my-new-domain.com%22%2C%20%22smtp%3Abtester%40my-oldest-domain.com%22%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3Bto%3C%2FP%3E%3CP%3E%22SMTP%3Abtester%40my-oldest-domain.com%22%2C%20%22smtp%3Abtester%40my-new-domain.com%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESome%20of%20those%20affected%20were%20members%20%26amp%3B%2For%20had%20proxy%20emails%20with%20the%20removed%20domain%2C%20most%20were%20not.%20Not%20all%20users%20of%20the%20removed%20domain%20were%20affected%20either.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20looks%20like%20these%20changes%20were%20reverting%20to%20an%20older%20version%20of%20the%20property.%20I'm%20thinking%20that%20when%20I%20removed%20the%20domain%20from%20O365%2C%20the%20verified%20domain%20was%20unable%20to%20authenticate%20during%20Azure%20AD%20sync%2C%20telling%20our%20Server%202012%20that%20those%20domains%20should%20not%20exist.%20So%20AD%20reverted.%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20doesn't%20make%20sense%20is%20that%20most%20of%20the%20users%20were%20not%20associated%20with%20this%20domain%20at%20all.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20ideas%3F%20I%20ran%20an%20Azure%20AD%20audit%20log%20so%20I%20could%20see%20the%20users%20affected.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-743499%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Frequent Visitor

I removed a verified domain from O365 Admin, and several hours later some users couldn't log in to their O365 accounts.

 

Their UserPrincipalName had been changed.

eg: "atester@my-new-domain.com"

to

"atester@my-old-domain.com"

 

OR

Their ProxyAddresses were changed:

eg: "SMTP:btester@my-new-domain.com", "smtp:btester@my-oldest-domain.com" 

 to

"SMTP:btester@my-oldest-domain.com", "smtp:btester@my-new-domain.com"

 

Some of those affected were members &/or had proxy emails with the removed domain, most were not. Not all users of the removed domain were affected either.

 

It looks like these changes were reverting to an older version of the property. I'm thinking that when I removed the domain from O365, the verified domain was unable to authenticate during Azure AD sync, telling our Server 2012 that those domains should not exist. So AD reverted. 

What doesn't make sense is that most of the users were not associated with this domain at all.

 

Any ideas? I ran an Azure AD audit log so I could see the users affected.

0 Replies