Can't do a Domain Takeover in Microsoft Entra, after original Power BI user lost access to account

Question

Can't do a Domain Takeover in Microsoft Entra, after original Power BI user lost access to account

Juan Pinzon 40

One of our users created a Power BI account some time ago using our company domain. He has lost access to his Microsoft account because he lost his 2FA device. Now I'm trying to do a domain takeover using the Custom Domain Names option in Azure Console, but it hasn't worked. I've ensured the TXT and MX settings in our domain, using CloudFlare, but still no success.Azure Entra instructions:

User's image

-------

Cloudflare DNS Configuration

User's image

TXT Lookup

User's image

Accepted answer

0 additional answers

Your answer

Answer 1

Janaki Kota 790 Microsoft External Staff

Hello Juan Pinzon,

Thank you for reaching out to Microsoft Q&A.

We understand that one of our users created a Power BI account using your company domain to which they have lost access, so you would like to do domain takeover using the Custom Domain Names option in Azure Console, but it is throwing an error below:

“Unable to verify domain name. Ensure you have added the record above at the registrar and try again in a little while. Click here for more information.”

There are few scenarios where you will notice an error like above:

A potential propagation delay. You need to wait at least an hour and try again. DNS records must propagate before you can verify the domain. This process can take an hour or more.

Go back to the domain name registrar site. Make sure the entry is there, and that it matches the DNS entry information provided in the Microsoft Entra admin center.

A domain name can only be verified in one directory. If your domain name is currently verified in another directory, it can't also be verified in the new directory. To fix this duplication problem, you must delete the domain name from the old directory.

If your users have activated Power BI through self-service sign-up and created an unmanaged tenant for your organization, you must take over management as an internal or external admin, using PowerShell.

Source document for more information: https://learn.microsoft.com/en-us/entra/fundamentals/add-custom-domain

Hope this helps. Do let us know if you any further queries.

Thanks & Best Regards

Janaki Kota

Janaki Kota 790 Reputation points Microsoft External Staff

2025-02-10T08:13:29.1033333+00:00

Hello Juan Pinzon,

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
Janaki Kota 790 Reputation points Microsoft External Staff

2025-02-11T06:33:13.5733333+00:00

Hello Juan Pinzon,

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
Juan Pinzon 0 Reputation points

2025-02-17T18:06:03.51+00:00

Hi Janaki, thanks for your support. Unfortunately, I've ensured that propagation takes place, and even though it has completed across all servers, I haven't been able to do the takeover. I can't complete through PowerShell either, since we don't have the credentials of the Microsoft account originally used.
Janaki Kota 790 Reputation points Microsoft External Staff

2025-02-19T07:14:27.7766667+00:00

Hello Juan Pinzon,

Thanks for the response.

As mentioned above, a domain name can only be verified in one directory. If your domain name is currently verified in another directory, it can't also be verified in the new directory. Could you please check if you are able to delink the domain from Cloudflare end and check if it can be verified in azure? As an other alternative, any global admin in that old directory can either make the changes to that domain or re-register the account for MFA.If the above scenario doesn't work for you, this further qualifies as a tenant lockout. To resolve this, we need to engage the Data Protection team via a support ticket to unblock your access.

Hope this helps. Do let us know if you any further queries.
Juan Pinzon 0 Reputation points

2025-02-19T22:49:42.29+00:00

I did unlink all previous TXT entries with the MS prefix in Cloudflare, and added the new one given to me by Entra, with no success. Unfortunately, that old global admin has lost his MFA. I haven't tried re-registering their MFA though; how can we accomplish this? We've resetted the password, but the MFA is still the blocker. How could I engage the Data Protection team? I've tried to create a support ticket, but since my user is no a part of the paying organization it wont allow me to create one
Janaki Kota 790 Reputation points Microsoft External Staff

2025-02-20T11:10:51.75+00:00
Hello Juan Pinzon,

Thanks for the response.

Please follow the below steps re-register the MFA.

Navigate to portal.azure.com with your nonprofit admin account.

Select Microsoft Entra ID

Select the drop-down for Manage

In the left-hand menu bar select Users > Select the user's name that you want to reregister to MFA.

Once in their profile, select Manage MFA authentication methods

Select Require re-register multifactor authentication

After this you should be able to re-register the MFA of that account. Kindly let us know if this is working for you.

If the above steps didn't resolve the issue, as you have mentioned that you will not be able to create a support ticket, we will check with the internal team and help further on it.

Hope this helps. Do let us know if you any further queries.
Juan Pinzon 0 Reputation points

2025-02-20T18:55:19.1+00:00

The problem for that is, our only admin is the one who lost the access 🥲
Raja Pothuraju 17,250 Reputation points Microsoft External Staff

2025-02-21T21:14:36.7466667+00:00
Hello @Juan Pinzon,

Thank you for your response.

Based on your description, it looks like you created a tenant using a Power BI account, but the user lost access due to incomplete MFA setup. Now, when you try to add your custom domain to a new tenant after removing the old TXT and MX records from Cloudflare and adding the new ones, the verification fails. This is expected because your custom domain is still verified in the old tenant, preventing it from being verified in the new one.

In this situation, there are two possible solutions, both requiring assistance from our Data Protection support team:

You can request a support engineer to remove the custom domain in old tenant, allowing you to verify the same custom domain in the new tenant by adding the TXT and MX records in Cloudflare.

Alternatively, you can ask the Data Protection team to reset your MFA, enabling you to log in and remove the custom domain from the old tenant. Once removed, you can then verify the domain in the new tenant.

Please let me know how you’d like to proceed.

To move forward, I’ll need a few details from you. Since this includes Personally Identifiable Information (PII), please share the following via private message:

Contact phone number

Contact email address

Global admin email address (affected account)

Custom domain name

Country

Time zone

Once I receive these details, we can connect offline to discuss further and assist you in resolving the issue.
Raja Pothuraju 17,250 Reputation points Microsoft External Staff

2025-02-23T21:42:47.42+00:00

Hello @Juan Pinzon,

Thank you for sharing required information on your issue.

The issue relates to a tenant lockout situation where no other global admin in the tenant has the necessary admin rights to re-register MFA.

To resolve this, we engaged our Data Protection team through a support ticket. Please connect with our support team via the ticket, and they will assist you in resolving the issue.

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click Accept Answer and kindly upvote it. If you have extra questions about this answer, please click Comment.
Janaki Kota 790 Reputation points Microsoft External Staff

2025-02-25T10:36:40.8866667+00:00

Hello Juan Pinzon,

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
Janaki Kota 790 Reputation points Microsoft External Staff

2025-02-26T11:18:43.1233333+00:00

Hello Juan Pinzon,

Following up to see if the above suggestion was helpful. And, if you have any further query do let us know.
Juan Pinzon 40 Reputation points

2025-02-26T17:14:02.61+00:00

Hi Raja. I did receive a call from a service representative, but unfortunately they couldn't help me, since I'm not the owner of the affected account. I sent you more details in the private conversation.

Thanks
Raja Pothuraju 17,250 Reputation points Microsoft External Staff

2025-02-28T16:52:55.6366667+00:00

Hello @Juan Pinzon,

Thank you for your response.

I have sent you a response in private message. Please check.

Share via

Can't do a Domain Takeover in Microsoft Entra, after original Power BI user lost access to account

0 additional answers

Your answer