Office 365 Shadow Tenants – Sorry, you can’t add domain.com here because it’s already in use

Sorry, you can’t add domain.com here because it’s already in use. If you own the domain.com domain and want to manage it, you have a couple of options.

 

This issue has come up a number of times with my clients. We are unable to add and verify production domains to a production tenant, because someone in the orgainization has used the company email address and signed up for a trail PowerBI (etc..) accounts. Because of the way that Office 365 is setup, when you sign up for those trials, a shadow tenant is created and your domain is locked (unverified) to that tenant. In my example, I have opened a trail for PowerBI, using an email address (kelsey.epps@office365testing.org) that hasn’t been registered with my production Office 365 tenant. Now, when I try to add the domain (office365testing.org) to my production Office 365 tenant, I get the error below (in red and screen shot). This is because the shadow tenant that was created for PowerBI trial is using that domain.

In order to resolve this, you will need to do an admin takeover of the shadow tenant and then release the domain so that it can be registered to your Office 365 tenant. This involves you opening another trial to PowerBI, taking admin ownership and verifying the domain in the shadow tenant, removing the domain from the shadow tenant and then adding and verifying it into your tenant.

 

Sorry, you can’t add domain.com here because it’s already in use. If you own the domain.com domain and want to manage it, you have a couple of options.

 

 

Follow these instructions to remove the domain from the Shadow tenant and add it to your production tenant.

 

Navigate to https://powerbi.microsoft.com/

 

Enter your email address (that includes that domain that you can’t add to your Office 365 tenant). My example is office365testing.org

 

Click ‘Use it free’

 

A confirmation email will be sent to your account. Click the link to verify the email address.

 

 

Enter your First Name, Last Name and a password. Click Start

 

The PowerBI setup process will kick off and your account will be added to the Shadow Tenant


 

Click the Office 365 waffle (app launcher)

Click the Admin Icon

 


 

This will take you to the admin take over webpage

Click ‘Yes, I want to be the admin’

 

Add the verification TXT record to your external DNS. Mine happens to be hosted on GoDaddy, so there are instructions for GoDaddy on the page.

 

 

Once the TXT record is added to public DNS, give it some time for replication. This is generally completed within 30 minutes, but can take up to 72 hours.

Click ‘Okay, I’ve added the record’

 

The process will now go out and verify that the TXT record supplied is added to public DNS. Once completed, your account will be added as the admin for the shadow tenant.

 

Click ‘Go to the Office 365 homepage’ or login to https://portal.office.com with your account.

Once logged into the Office 365 Admin Portal, click Users -> Active Users

This will show you all the people that have opened trail accounts of PowerBI

 

In order to remove the domain, so that we can register it in the main tenant, you need to edit the users and change the UPN to the onmicrosoft.com domain (in my example – office365testingorg.onmicrosoft.com). This is required because none of the users can have the office365testing.org domain in use, if we want to remove the domain from this tenant. It’s recommended that you update all the users and then your admin account.

Double click a user and change the UPN to the domain.onmicrosoft.com address

Click Save

 

You may receive a warning. Click Yes

Repeat for all the users

Let your users know they still have their trial accounts, but the user name is now changed. This will allow them to remove their data.

 

Edit your admin account the same way

Click Yes to the warning

Click OK and sign out of the shadow tenant

Sign back in with the new user name (user@domain.onmicrosoft.com)

 

Click Domains and select the domain you want to remove (this is the domain that you want to add to your production tenant)

 

With the domain selected, click ‘Remove domain’

Click Yes

The domain will be removed from the shadow tenant and is not free to add to your tenant (give the process some replication time across the Microsoft backend servers).

Logout of the shadow tenant

 

Login to your production tenant where you were getting the error adding the domain with your admin account and try to add the domain again. This time it should work without giving you the error. Please note that you will have to verify ownership again by adding the TXT record into public DNS.

 

Login to the production tenant – https://portal.office.com

Navigate to domains

Click
+ Add domain

 

Click ‘Let’s get started ->’

 

Add the newly released domain from the shadow tenant

Click Next

 

Verify domain ownership. Since I use GoDaddy, the process will allow me to sign into my GoDaddy account and verify, or use a TXT record in public DNS. Since I am lazy, I will just sign into GoDaddy and let automation rule my life. 😉

 

Success (and I forgot to screen shot the page before clicking next) … The domain is now verified and added to your production tenant. Step through the rest of the steps and now when viewing the domains in the production tenant, you will see it there and verified.

 

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps Office365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN

 

 

 

 

 

 

 

 

 

12 thoughts on “Office 365 Shadow Tenants – Sorry, you can’t add domain.com here because it’s already in use

  1. Massimo M.

    Hi there!
    Very interesting article!
    MSPartner here, I have opened about 150 Office 365 tenants, I have played with domains and cross tenant migrations for our clients and what I have seen is that you can’t add a vanity domain on a tenant if that domain has already been validated (TXT verified!) with another existing tenant. If you just add a vanity domain but you don’t verify it with TXT record on a specific tenant, you still can add that domain to other tenants. The operation that locks the domain is the TXT validation. Once TXT is validated, the domain gets locked and you can’t add it to another tenant until you remove it from the source tenant.

    What I didn’t understand from reading your article is: in your scenario, did you validate the domain with TXT (or fake MX) record?

    Thanks!

    Reply
    1. Kelsey EppsKelsey Epps Post author

      In the post, I am showing that you cannot add a vanity domain if it’s associated with shadow tenant. The shadow tenant is created when users create trail accounts for services like PowerBI. In order to register the domain in your own tenant, you have to do an admin take over of the shadow tenant, which is basically verifying the domain (with txt) in the shadow tenant. Once that is done, you remove the domain from the shadow tenant and add/verify (doesn’t matter how you verify; txt, mx or automatic) the domain in your production tenant.

      Reply
      1. Rohit

        Hi,

        I followed your article and it was helpful in many cases, but recently, when i try to enter my email address and open the powerbi, i do not see the admin tab there.

        Hence unable to take over the ownership

        Please suggest

        Reply
        1. Kelsey EppsKelsey Epps Post author

          I’d suggest that you open a service request with Microsoft. They can look in the back end and shed some light on why the admin button is gone.

          Reply
  2. Mahesh

    Hi Kelsey,

    We have a client which we have some sort of same issue where in we have to add the verified domain to a new tenant and we do not have access to old tenant (users can login to office365 using there credentials but no one has admin access).
    They have the domain i.e. DNS records controls and everything, now they want to move to a new tenant with complete new license & setup. But they are not able to verify the domain as it is already verified with previous tenant. Even if we remove the records from DNS it doesnt help

    We tried using your above solution but as the user is not a admin users we dont get admintakeover page, do you have any suggestion how to rectify this issue.

    Description :

    Tenant 1 : orginaltenant.onmicrosoft.com
    Domain : orginal.com – verfied and default domain
    No one has access to Tenant Admin

    Tenant 2 : orginaltenant1.onmicrosoft.com
    Domain orginal.com – cannot verifiy as domain is already verified in other tenant

    TXT records & MX records all updated in DNS but cannot verify the domain.

    Can you help something?

    Reply
  3. larry heier

    Thanks Kelsey. I just saw the same exact issue at a customer where 400+ users created Office 365 accounts and it create a company0.microsoft.com but when we tried to verify DNS ownership to add company.com into Office 365 tenant, it linked the company.com tenant into the shadow Office 365 tenant and made our admin account owner of this shadow tenant.

    We had to change all the accounts back to the @company0.onmicrosoft.com before we could delete the domain and assign it correctly to our real tenant of company.micorosft.com.

    Very weird and wondering what happens to the other accounts that were registered in the shadow tenant.

    -Larry

    Reply
    1. Kelsey EppsKelsey Epps Post author

      Yes, before you can remove the domain from the shadow tenant, you have to change all the accounts to not use that domain.

      Reply
  4. Mike Grome

    I have a client that needs to leave the umbrella of a parent companies 365 account but keep his email domain (not the parent companies). Can i create a trial in the same way for this scenario and how will that effect email in existing accounts?

    Reply
    1. Kelsey EppsKelsey Epps Post author

      This sounds like a tenant to tenant migration type. I would create a new tenant for the client and migrate his email out of the parent company. Look at BitTitan for the tenant to tenant migration while keeping the same domain name.

      Reply

Leave a Reply