GoDaddy Office 365 Defederation: How to Fix iPhone AADSTS50020 Error

After defederating from GoDaddy Microsoft 365, iPhones may show error AADSTS50020. Learn the complete defederation process, break glass account setup, and the Edge browser trick to fix stubborn iPhone authentication issues.

Published 2025-11-18 by TechNet New England

Credit Where It's Due

This guide is based on the excellent documentation from T-Minus 365. Their comprehensive defederation guides have helped countless MSPs and IT administrators reclaim control of GoDaddy-federated tenants.

Original source: T-Minus 365 Defederation Documentation

If you've ever purchased Microsoft 365 through GoDaddy, you know the pain. GoDaddy federates your domain and tenant, locking you into their ecosystem. You can't transfer to a CSP partner, you can't go direct with Microsoft, and if you call GoDaddy to defederate, they'll often delete all your users and data first.

The good news? You can defederate without calling GoDaddy, keep all your user accounts and data, and have zero mail flow downtime. The bad news? After defederation, you might run into a frustrating iPhone authentication error that won't go away no matter what you try.

This guide covers both: the complete defederation process and the fix for that stubborn iPhone error.

Understanding the Problem

When you purchase Microsoft 365 through GoDaddy, they federate your domain to their identity provider. This means:

Defederation breaks this federation, returning control of authentication to your Microsoft tenant directly.

️ CRITICAL: Before You Start

1. Use the admin@[netorg].onmicrosoft.com Account

Do NOT use your regular admin account on your custom domain. You must use the built-in admin account that ends in @[netorg].onmicrosoft.com or @[randomstring].onmicrosoft.com. This account exists outside the federation and will still work after defederation. Your federated domain admin accounts may lose access during the process.

2. Create a Break Glass Account BEFORE Defederating

A "break glass" account is an emergency Global Administrator account that you never use except in emergencies. Create one before starting:

  • Username: Something like breakglass@[yournetorg].onmicrosoft.com
  • Password: 25+ characters, random, stored securely offline (password manager or safe)
  • Role: Global Administrator
  • MFA: Configured but use a separate method (hardware key or different phone)
  • Never log in unless the primary admin account is locked out

If something goes wrong during defederation and you get locked out of your main admin account, the break glass account is your lifeline. Without it, you may need to contact Microsoft support and wait days to regain access.

The Defederation Process

Important Warning

Defederating requires all users to reset their passwords. They will not be able to log in with their old passwords after defederation. Plan a maintenance window and have temporary passwords ready to distribute.

Phase 1: Preparation

  1. Create a break glass account - Global Admin on the onmicrosoft.com domain with a long random password stored securely
  2. Verify admin access - Confirm you can log into admin@[netorg].onmicrosoft.com
  3. Notify your users - Schedule a maintenance window and explain that passwords will be reset
  4. Prepare temporary passwords - Either collect new passwords from users beforehand or prepare to distribute temporary passwords
  5. Document current state - Export user lists, license assignments, and group memberships

Phase 2: Gain Administrative Access

You need access to the true Global Admin account, which is typically admin@[netorg].onmicrosoft.com (not your federated domain).

  1. Go to the Azure Portal (portal.azure.com)
  2. Sign in with your admin@[netorg].onmicrosoft.com account
  3. If you don't know the password, reset it through Azure AD
  4. Verify you have Global Administrator role

Tip: The "netorg" name is usually visible in your Microsoft 365 admin center URL or in the Azure AD tenant information. It might look like netorg12345678.onmicrosoft.com.

Phase 3: Install Microsoft Graph PowerShell

The old MSOnline module is deprecated. Use Microsoft Graph PowerShell instead:

# Install the Microsoft Graph module
Install-Module Microsoft.Graph -Scope CurrentUser

# Connect with the required permissions
Connect-MgGraph -Scopes "Domain.ReadWrite.All"

Phase 4: Remove Federation

This is the critical step. Run this command for each federated domain:

# Check current domain status
Get-MgDomain | Select-Object Id, AuthenticationType

# Defederate the domain (change to Managed)
Update-MgDomain -DomainId "yourdomain.com" -AuthenticationType "Managed"

Critical Note

ALL domains in the tenant must be in a managed state for this to work correctly - even domains that are no longer in use. Check all domains with Get-MgDomain and defederate any that show as "Federated."

Phase 5: Reset User Passwords

After defederation, users cannot log in until their passwords are reset. You can do this manually in the admin portal or in bulk:

# Reset a single user's password
$password = @{
 Password = "TempP@ssw0rd123!"
 ForceChangePasswordNextSignIn = $true
}
Update-MgUser -UserId "user@yourdomain.com" -PasswordProfile $password

Phase 6: Set Up New Licensing

  1. Establish a CSP relationship or go direct with Microsoft
  2. Purchase new licenses through your new provider
  3. Assign the new licenses to users
  4. Remove the old GoDaddy license assignments

Phase 7: Remove GoDaddy Access (CRITICAL)

Do This BEFORE Canceling with GoDaddy

Remove GoDaddy as a delegated admin before you cancel your subscription with them. If you cancel first, they may run a script that deletes all users and removes your primary domain.

  1. Go to Microsoft 365 Admin Center
  2. Navigate to Settings → Partner Relationships
  3. Remove GoDaddy as a partner
  4. Then cancel your GoDaddy subscription

The iPhone Problem: Error AADSTS50020

You've done everything right. Defederation is complete. Desktop Outlook works. Webmail works. But when users try to add their email on their iPhone, they get:

Error AADSTS50020: User account 'user@domain.com' from identity provider does not exist in tenant and cannot access the application.

You've tried:

The problem? There are cached authentication tokens buried deep in Microsoft's shared authentication system on iOS that survive all of these steps.

The Fix: Edge Browser Sign-Out

Microsoft Edge on iOS shares authentication state with other Microsoft apps. There's a hidden diagnostics page that lets you clear these cached tokens.

Step-by-Step Fix

  1. Download Microsoft Edge on the iPhone if it's not already installed (free from the App Store)
  2. Open Edge and navigate to this URL:
    edge://signin-internals
  3. Scroll to the bottom of the page
  4. Tap "RemoveAllAccounts" (or "Sign out of all accounts")
  5. Close Edge completely
  6. Open Outlook and add the email account again
  7. Sign in fresh with the new password (post-defederation)

This clears the cached tokens that were still pointing to GoDaddy's federated identity provider, allowing the device to authenticate properly against your now-managed tenant.

Why This Works

Microsoft uses a shared authentication broker on iOS. When you sign into any Microsoft app (Outlook, Teams, OneDrive, Authenticator), it stores tokens that other Microsoft apps can use for single sign-on. After defederation, these tokens still reference the old federated identity provider.

The edge://signin-internals page gives you access to clear these shared tokens, something you can't do by simply deleting individual apps.

Alternative: Nuclear Option

If the Edge trick doesn't work, you may need to:

  1. Delete ALL Microsoft apps from the iPhone (Outlook, Teams, OneDrive, Authenticator, Edge, Word, Excel, etc.)
  2. Go to Settings → Passwords and remove any saved Microsoft credentials
  3. Go to Settings → Mail → Accounts and remove any Microsoft/Exchange accounts
  4. Restart the iPhone
  5. Reinstall Outlook and sign in fresh

Prevention: Communicate with Users

Before defederating, prepare your users:

Summary

Defederating from GoDaddy is possible without their help, without losing data, and without downtime. The key steps are:

  1. Create a break glass account first - Emergency Global Admin on onmicrosoft.com domain
  2. Use the admin@[netorg].onmicrosoft.com account (not your federated domain)
  3. Use Microsoft Graph PowerShell to change authentication to "Managed"
  4. Reset all user passwords
  5. Set up new licensing through CSP or direct
  6. Remove GoDaddy as partner BEFORE canceling
  7. For stubborn iPhone issues, use edge://signin-internals to clear cached tokens

Resources

Need Help?

GoDaddy defederation can be tricky, especially for larger organizations. If you'd rather have professionals handle it, contact us for assistance with your Microsoft 365 migration.