Removing onmicrosoft.com from M365 usernames needs sifoidak.com verified as a custom Entra domain, which needs a DNS TXT record at GoDaddy. Mike confirmed ACG has no registrar access to that account, so UPNs stay on sifoidak.onmicrosoft.com and new users follow the same convention. Recorded as decided rather than blocked so it is not re-proposed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
24 KiB
type, name, display_name, last_compiled, compiled_by, sources, backlinks
| type | name | display_name | last_compiled | compiled_by | sources | backlinks | |||
|---|---|---|---|---|---|---|---|---|---|
| client | sif-oidak | Sif-oidak District - Tohono O'odham Nation | 2026-07-09 | HOWARD-HOME/claude-main |
|
Sif-oidak District — Tohono O'odham Nation
Overview
- Organization type: Tribal government / district — Sif-oidak District of the Tohono O'odham Nation
- Contract type: Per-incident (no prepaid block documented)
- Billing rate: $150/hr remote labor
- Syncro customer ID: 7694718
- Primary contact: Deanna Cruz — deanna.cruz@tonation-nsn.gov
- Environment: NOT hybrid — two independent, unsynced identity systems: an on-premises AD domain (SifOidak.local) and a separate M365 cloud tenant. There is no Entra Connect / AD Connect anywhere (verified 2026-07-09 on both SIF-SERVER and SIF-SERVER2). See Identity model.
- M365 onboarding: Completed 2026-06-03; all four ACG MSP apps consented, roles assigned
Contacts
| Name | Role / Notes |
|---|---|
| Deanna Cruz | Primary contact (Syncro record); email: deanna.cruz@tonation-nsn.gov |
| Joshua Albert | End user; jalbert.sod@sifoidak.onmicrosoft.com; domain account: jalbert |
| Dwayne Ortega | End user; Dortega.sod@sifoidak.onmicrosoft.com; new account created 2026-06-03 |
Identity model (READ BEFORE TOUCHING ANY ACCOUNT)
Sif-oidak runs two separate identity systems with no synchronization between them. A user needs a distinct account in each, and their passwords are independent.
| On-prem AD | M365 cloud | |
|---|---|---|
| Directory | SifOidak.local | sifoidak.onmicrosoft.com |
| UPN shape | jalbert@SifOidak.local |
jalbert.sod@sifoidak.onmicrosoft.com |
| Used for | Windows workstation sign-in | Email / Office / Teams |
| Password reset via | Set-ADAccountPassword on SIF-SERVER |
Graph API |
Verified 2026-07-09: no ADSync service and no "Azure AD Connect" uninstall entry on either
SIF-SERVER or SIF-SERVER2; no AD user carries an msDS-ConsistencyGuid; every M365 user has
onPremisesSyncEnabled: null. The two directories are genuinely disjoint.
Consequences — these are the traps:
- Workstations are domain-joined ONLY (
dsregcmd:DomainJoined: YES,AzureAdJoined: NO). M365 credentials cannot sign in to a Sif-oidak machine. Creating a cloud user does not give anyone a workstation login. - Resetting the M365 password does nothing for a machine login, and vice versa. When a user says "I can't log in," first establish which system — Windows sign-in screen = AD; Outlook/Teams prompt = M365.
- Onboarding a new employee requires two account creations, not one.
Actually THREE systems — email is not in M365 either
| System | Directory | Used for |
|---|---|---|
| On-prem AD | SifOidak.local | Windows workstation sign-in |
| M365 cloud | sifoidak.onmicrosoft.com | Office apps + OneDrive sign-in (no mailbox) |
| sifoidak.com @ GoDaddy | Mail (MX -> smtp.secureserver.net) |
The M365 SKU is O365_BUSINESS (Microsoft 365 Apps for business). Its Exchange entitlement is
EXCHANGE_S_FOUNDATION — the no-mailbox stub. Verified 2026-07-09: all 12 users have
mail: null and zero proxyAddresses. There are no Exchange Online mailboxes in this tenant.
Mail lives at GoDaddy and is not managed through M365.
Do not confuse "username" with "email" here. Every M365 user's username (UPN) is
...@sifoidak.onmicrosoft.com. Their email address is...@sifoidak.comat GoDaddy. Both statements are simultaneously true.
USER ONBOARDING RUNBOOK (Mike's standing instruction, 2026-07-09)
Creating a new Sif-oidak user requires creating accounts in BOTH systems. Never just one.
- On-prem AD account — on SIF-SERVER,
New-ADUserintoOU=Domain Users,DC=SifOidak,DC=local, SamAccountName = first-initial + surname, UPN<sam>@SifOidak.local,Domain Usersgroup, temp password with-ChangePasswordAtLogon $true. VerifypwdLastSet=0on both DCs. (Without this the user cannot log in to their machine at all — see the 2026-07-09 history entry.) - M365 account — Graph user, UPN
<initial><surname>.sod@sifoidak.onmicrosoft.com(theonmicrosoft.comsuffix is correct and unavoidable — see below),usageLocation: USbefore license assignment, then assignO365_BUSINESS. Watch for seat auto-expansion. - Email account — provisioned at GoDaddy on sifoidak.com, not in M365.
- Vault every credential (
clients/sif-oidak/ad-users.sops.yaml), never paste it into a ticket.
Username convention — onmicrosoft.com stays (DECIDED 2026-07-09, do not re-open)
M365 usernames at this client will keep the @sifoidak.onmicrosoft.com suffix. New users get
<name>@sifoidak.onmicrosoft.com. This is settled — don't propose changing it again.
Why it can't change: sifoidak.onmicrosoft.com is the tenant's only verified domain
(isInitial: true, isDefault: true), and a UPN may only use a verified domain. Using
@sifoidak.com would require adding it as a custom Entra domain and proving ownership with a DNS
TXT record — but sifoidak.com is registered at GoDaddy (ns19/ns20.domaincontrol.com) and
ACG does not have registrar access. Mike confirmed on 2026-07-09 that we cannot get it, so the
rename is off the table.
Renaming would also have broken every existing user's Office sign-in until they re-authenticated — a real cost for a cosmetic gain, with no upside while mail lives at GoDaddy anyway.
If registrar access is ever obtained, the path is: add sifoidak.com without the Exchange
service (to protect the MX -> secureserver.net GoDaddy mail flow), verify, set default, rename.
Until then this is not actionable.
Note on the existing UPNs: most are <initial><surname>.sod@, but m.allen@ and
marcella.enos@ deviate. Match <initial><surname>.sod@ for new users.
AD naming conventions (match these)
SamAccountName= first initial + surname (jalbert,dortega,dcruz,drodriguez)CN= full display name (CN=Dwayne Ortega)- Container =
OU=Domain Users,DC=SifOidak,DC=local(a real OU, not the defaultCN=Users) - UPN suffix =
@SifOidak.local(the only suffix in the forest) - Departmental groups exist (e.g.
AssistancePrograms Group) — do not add a new user to one without asking;Domain Usersalone is the safe default.
AD password policy (weak — note for any hardening discussion)
MinPasswordLength: 6, ComplexityEnabled: False, MaxPasswordAge: ~42 days.
Infrastructure
On-Premises Servers
| Host | Role | Domain | GuruRMM Agent ID | Status (last seen) |
|---|---|---|---|---|
| SIF-SERVER | Primary Domain Controller | SifOidak.local | def9fdbb-020b-498d-9d3b-edf5912ba298 | Online (2026-07-09) |
| SIF-SERVER2 | Backup Domain Controller (DomainRole: 4, confirmed 2026-07-09) |
SifOidak.local | 944b0c4b-048d-44b8-85e5-40da135f58d6 | Online (2026-07-09) |
| Sif-Laptop554 | Endpoint — Joshua Albert's (jalbert profile, active console session) | SifOidak.local | 9e5016f0-e330-4d24-ab01-67cf4e55d46b | Online (2026-07-09) |
| Sif-Laptop555 | Endpoint — likely Dwayne Ortega's (unconfirmed) | SifOidak.local | 1be314d5-0395-4b1c-aa26-3b4a96bd2e22 | Offline (2026-07-09) |
Laptop agent UUIDs changed between 2026-05-28 and 2026-07-09 (agents re-enrolled). Always resolve hostname → UUID live via
rmm-search.sh -c sif-oidak; never reuse a UUID from this table.
Sif-Laptop554 local accounts: Localadmin and Sif (both enabled); Administrator/Guest
disabled. Profiles present: jalbert, guru, Sif, Localadmin. Local creds are vaulted at
clients/sif-oidak/laptops.sops.yaml.
- Domain: SifOidak.local
- SIF-SERVER = PDC (
DomainRole: 5); SIF-SERVER2 = backup DC (DomainRole: 4). Both confirmed 2026-07-09. - Two DCs means a workstation may authenticate against either. After any AD write, verify the change is present on both (
Get-ADUser <u> -Server localhoston each) before telling a user to try again.
Network
- Internal network details not documented
- No firewall, IP ranges, or ISP information recorded
M365 Tenant
| Field | Value |
|---|---|
| Tenant domain | sifoidak.onmicrosoft.com |
| Tenant ID | 568eb763-3b95-4271-8443-530c74b1c6bb |
| License SKU | O365 Business (cdd28e44-67e3-425e-be4c-737fab2899d3) |
| Seat count | 11/11 (auto-expanded from 10 on 2026-06-03 when Dortega was licensed) |
| CIPP status | NOT in CIPP as of 2026-06-03 — GDAP/Partner Center relationship needed |
ACG MSP App Principals (consented 2026-06-03 via onboard-tenant.sh)
| App | Service Principal OID | Roles Assigned |
|---|---|---|
| Tenant Admin | 3cc1f0b3-6cc0-4dc3-ac8c-ac0ed94c5341 | Conditional Access Administrator |
| User Manager | 011b990a-c787-4af1-b4d5-606a5461f2e5 | User Administrator, Authentication Administrator |
| Security Investigator | 4b42e8e7-615d-4d67-8edf-a4166f1fd179 | Exchange Administrator (2 Graph permissions pending — see Open Items) |
| Exchange Operator | 0d51ec52-0070-4073-98c6-2c8eb3caa8b5 | Exchange Administrator |
- Onboarding required Tenant Admin app consent first, then
onboard-tenant.shto programmatically consent remaining apps and assign roles - User Manager was accidentally consented first; script handled the already-present SP gracefully
- Two Graph permission grants failed on Security Investigator (
df021288User.Read.All,b0afded3AuditLog.Read.All) — Graph replication timing; non-blocking
Tenant Admin Consent URL (for future use)
https://login.microsoftonline.com/sifoidak.onmicrosoft.com/adminconsent?client_id=709e6eed-0711-4875-9c44-2d3518c47063&redirect_uri=https://azcomputerguru.com&prompt=consent
Known Users / Accounts
Joshua Albert
| Field | Value |
|---|---|
| UPN | jalbert.sod@sifoidak.onmicrosoft.com |
| M365 user ID | 55f77ce1-20fc-44b1-a7c7-2fa42b348b76 |
| AD account | jalbert (domain: SifOidak.local) |
| License | O365 Business — already assigned prior to 2026-06-03 |
| Password policy | PasswordNeverExpires was TRUE; cleared 2026-05-28 (was prerequisite for must-change flag; not restored) |
2026-05-28 — AD password reset: Password reset to Temp1234! via Set-ADAccountPassword on SIF-SERVER using GuruRMM remote PowerShell. Must-change flag initially applied then reversed per Mike's revised requirement. PasswordNeverExpires was cleared and NOT restored — improved security posture.
2026-06-03 — M365 password reset: Password reset to user-chosen value Albert#2015 via Graph API PATCH. forceChangePasswordNextSignIn: false (Howard explicitly stated user chose the password).
Dwayne Ortega
Has BOTH accounts as of 2026-07-09. They are unrelated and have independent passwords.
| Field | M365 cloud | On-prem AD |
|---|---|---|
| Identifier | Dortega.sod@sifoidak.onmicrosoft.com | dortega / dortega@SifOidak.local |
| Object ID / DN | 014c1df6-444b-4502-9239-15c3ff935887 | CN=Dwayne Ortega,OU=Domain Users,DC=SifOidak,DC=local |
| Created | 2026-06-03 | 2026-07-09 |
| License | O365 Business | n/a |
| Groups | — | Domain Users only |
| Password | reset 2026-07-09T20:33:05Z (by someone other than this session) | temp, must change at next logon (pwdLastSet=0) |
| Credential location | not vaulted | clients/sif-oidak/ad-users.sops.yaml |
M365 user created 2026-06-03: usage location set to US before license assignment (Graph API requirement); license assignment triggered seat auto-expansion from 10 to 11.
AD account created 2026-07-09 to resolve "cannot log in to his machine" — he had a cloud identity only, and the workstations are domain-joined with no Entra join, so no M365 credential could ever have signed him in. See History.
On-Premises Active Directory
- Domain: SifOidak.local
- Primary DC: SIF-SERVER (GuruRMM agent ID: def9fdbb-020b-498d-9d3b-edf5912ba298)
- Confirmed AD cmdlets available:
Get-ADUser,Set-ADAccountPassword,Set-ADUser - Execution context: NT AUTHORITY\SYSTEM (via GuruRMM remote PowerShell)
- Password complexity: Standard AD complexity (upper, lower, digit, special char required —
Temp1234!meets requirements) - jalbert PasswordNeverExpires: Was
$trueprior to 2026-05-28; cleared and not restored
AD Management Notes
Set-ADUser -PasswordNeverExpires $false -ChangePasswordAtLogon $truefails in a single call — AD rejects both flags simultaneously. Use two sequential calls.Set-ADUser -ChangePasswordAtLogon $truemay fail even after clearingPasswordNeverExpiresin the same command string (possible replication delay). Usenet user <user> /logonpasswordchg:yes /domaininstead — more reliable.- ADSI path with single quotes inside double-quoted JSON strings causes PowerShell parse errors in GuruRMM command payloads. Use
DirectorySearcherwith double-quoted ADSI path for AD verification.
Printing
Print queues are shared off the domain controllers (not a dedicated print server). All ports
point at 192.168.0.99.
| Share | Host | Driver |
|---|---|---|
\\SIF-SERVER\SHARP UD3 PCL6 |
SIF-SERVER | SHARP UD3 PCL6 |
\\SIF-SERVER\SHARP MX-6070V PCL6 |
SIF-SERVER | SHARP MX-6070V PCL6 |
\\SIF-SERVER2\SHARP MX-6240N PCL6 |
SIF-SERVER2 | SHARP MX-6240N PCL6 |
Adding a shared printer requires local admin (error 740)
Symptom: a standard user adds \\SIF-SERVER\SHARP UD3 PCL6 and gets error 740
(ERROR_ELEVATION_REQUIRED). Microsoft-Windows-PrintService/Admin event 600 logs
Error code= 800702e4 (0x2E4 = 740) — "failed to import the printer driver ... from
\\sif-server\print$\x64\PCC\sv0emenu.inf_amd64_...cab". The event text blames the digital
signature; that is a red herring — 0x800702e4 is purely an elevation failure.
Cause: post-KB5005652 (PrintNightmare hardening), RestrictDriverInstallationToAdministrators
defaults to 1 — only administrators may install a print driver via Point and Print. The value is
absent from the registry on Sif endpoints, so the restrictive default applies. Standard users
(e.g. jalbert) are not local admins; local admins are Administrator, Localadmin, and
SIFOIDAK\Domain Admins.
In practice the UAC prompt for the driver install does not surface to the user, so it reads as a bare error rather than a permission request (confirmed by Howard 2026-07-09).
Fix: install the printer with admin rights — supply Localadmin credentials at the UAC prompt,
or install it for the user. Once the driver is in the local driver store, subsequent connections work.
Do NOT "fix" this by setting RestrictDriverInstallationToAdministrators=0. That re-opens the
PrintNightmare (CVE-2021-34527) remote-code-execution class of bug for every user on the machine.
Preferred non-interactive alternative: add a per-machine connection as SYSTEM via GuruRMM
(rundll32 printui.dll,PrintUIEntry /ga /n"\\SIF-SERVER\<share>" + spooler restart), which installs
the driver under an admin context without weakening the policy.
Known defect — GPO pushes a printer from the wrong server
Sif-Laptop554 logs event 513: Group Policy was unable to add per computer connection \\SIF-SERVER\SHARP MX-6240N PCL6. Error code 0x709. The MX-6240N is shared on SIF-SERVER2, not
SIF-SERVER, so the GPO path is wrong. Correct the GPO to \\SIF-SERVER2\SHARP MX-6240N PCL6
(or re-share the queue on SIF-SERVER). Unresolved as of 2026-07-09.
Syncro
| Field | Value |
|---|---|
| Customer ID | 7694718 |
| Customer name | Sif-oidak District - Tohono O'odham Nation |
| Billing rate | $150/hr remote |
Tickets
| Ticket | Date | Summary | Status |
|---|---|---|---|
| #32341 | 2026-05-28 | jalbert domain password reset via GuruRMM | Invoiced ($75.00, 0.5h) |
| #32380 | 2026-06-03 | M365 onboarding, Joshua Albert license/password, Dwayne Ortega new user | Created, assigned to Howard |
- Invoice #1650451827 — $75.00 (ticket #32341)
- Ticket #32380: https://computerguru.syncromsp.com/tickets/112127922
- Ticket #32341: https://computerguru.syncromsp.com/tickets/111395067
Vault
- On-prem credentials:
clients/sif-oidak/laptops.sops.yaml— local admin / standard user creds for Sif-Laptop554/555 - M365 admin credentials: NOT vaulted — no shared admin credentials recorded for this tenant
Patterns / Notes
- "Cannot log in" is ambiguous at this client — disambiguate FIRST. Because AD and M365 are unsynced, the same complaint has two unrelated root causes. Ask (or check) whether the failure is at the Windows sign-in screen (AD) or in an Office app (M365) before touching a password. On 2026-07-09 Dwayne Ortega's cloud password had already been reset the same day, which did nothing for his machine login because he had no AD account at all.
- Creating an M365 user does NOT create a workstation login. New-hire onboarding here needs two account creations. This is the single easiest mistake to make at Sif-oidak.
- Tenant identification was non-obvious: Initial attempt used
toua.net(Tohono O'odham Nation parent org) before Mike confirmed the correct tenant issifoidak.onmicrosoft.com. Always use the client's specific subdomain, not the tribal parent. The Syncro primary contact (deanna.cruz@tonation-nsn.gov) uses the parent org domain — that does not indicate the correct M365 tenant. - ACG MSP app onboarding order matters: Tenant Admin must be consented first.
onboard-tenant.shthen handles all other app SPs and role assignments. Do not skip directly to User Manager or Exchange Operator. - Seat auto-expansion accepted without manual purchase: Microsoft 365 auto-expanded from 10 to 11 seats when Dortega's license was assigned. No manual action required in the moment, but billing implications should be verified with client if they have a fixed-seat contract.
- Graph permission replication timing: Two Security Investigator Graph permissions failed immediately after SP creation — standard replication lag. Re-run
onboard-tenant.sh sifoidak.onmicrosoft.comto backfill. Non-blocking for user management operations. - Two DCs, not one: SIF-SERVER (PDC) and SIF-SERVER2 (backup DC). Any assumption of a single DC is wrong; confirm AD writes replicated to both before declaring a fix done.
- PasswordNeverExpires cleared on jalbert: Pre-2026-05-28 state was
PasswordNeverExpires = $true. This was cleared as a prerequisite for must-change and was not restored at Mike's direction. If this account is a service account or has special policy exemption, re-enabling may be needed — confirm at next contact. - Client not yet in CIPP: Tenant is onboarded into ACG MSP apps but has no GDAP / Partner Center delegated admin relationship. For full MSP visibility and CIPP inclusion, a Partner Center delegated admin request is needed.
Open Items
- Still outstanding (re-confirmed 2026-07-09): re-run
onboard-tenant.sh sifoidak.onmicrosoft.comto backfill 2 missing Security Investigator Graph permissions (User.Read.All,AuditLog.Read.All). AsignInActivityquery on 2026-07-09 still 403s with "does not have required Microsoft Graph permission(s): AuditLog.Read.All" — so sign-in history is currently unreadable for this tenant. - Confirm which laptop is actually Dwayne Ortega's (Sif-Laptop555 assumed, was offline 2026-07-09) and verify he can sign in + complete the forced password change
Remove— CLOSED 2026-07-09. ACG has no registrar access toonmicrosoft.comfrom M365 usernamessifoidak.com(GoDaddy); Mike confirmed we cannot obtain it. UPNs stay onsifoidak.onmicrosoft.com. Do not re-open.- Fix GPO printer path: it pushes
\\SIF-SERVER\SHARP MX-6240N PCL6, but that queue is shared on SIF-SERVER2 (event 513, error 0x709) - Consider whether AD password policy should be hardened (currently min length 6, complexity OFF)
- Decide whether Dwayne needs
AssistancePrograms Groupmembership (jalbert has it; Dwayne created withDomain Usersonly) - Add
clients/sif-oidak/m365-admin.sops.yamlif client shares admin credentials with ACG - Determine if jalbert's
PasswordNeverExpiresshould be restored (was cleared 2026-05-28) - Consider GDAP / Partner Center delegated admin relationship to get tenant into CIPP
History
2026-05-28 — jalbert AD password reset (GuruRMM)
Howard requested a remote password reset for domain user jalbert (Joshua Albert) on SIF-SERVER. ACG used GuruRMM remote PowerShell (no RDP). SIF-SERVER confirmed online (agent def9fdbb), execution context NT AUTHORITY\SYSTEM. Password reset to Temp1234! via Set-ADAccountPassword. Must-change flag applied then reversed per Mike's direction. PasswordNeverExpires cleared and not restored. Syncro ticket #32341 created, 0.5h billed at $150/hr ($75.00), invoice #1650451827.
2026-06-03 — M365 tenant onboarding + user provisioning
Howard initiated via Discord requesting an O365 license for Joshua Albert. Tenant sifoidak.onmicrosoft.com was not in CIPP and had no ACG MSP app consent. Tenant identified by Mike after toua.net was tried first (wrong). Onboarded via admin consent + onboard-tenant.sh: Tenant Admin, User Manager, Security Investigator, and Exchange Operator all consented; directory roles assigned. Joshua Albert found to already have O365 Business license. Password reset to user-chosen value Albert#2015. New user Dwayne Ortega created (Dortega.sod@sifoidak.onmicrosoft.com), usage location set to US, O365 Business license assigned — tenant auto-expanded 10 → 11 seats. Syncro ticket #32380 created, assigned to Howard.
2026-07-09 — Dwayne Ortega could not log in to his machine; root cause = no AD account
Howard reported Dwayne Ortega could not log in to his machine. Investigation via GuruRMM found
no on-prem AD account matching ortega/dwayne among the 71 domain users — he existed only as
an M365 cloud user (created 2026-06-03). dsregcmd on Sif-Laptop554 confirmed the workstations are
DomainJoined: YES / AzureAdJoined: NO, so an M365 credential can never authenticate a Windows
sign-in here. Neither SIF-SERVER nor SIF-SERVER2 has any Entra Connect / ADSync component, and no AD
object carries an msDS-ConsistencyGuid — the directories are fully disjoint, correcting this
article's prior "hybrid" description. His cloud password had been reset earlier the same day
(lastPasswordChangeDateTime: 2026-07-09T20:33:05Z), which could not have fixed a machine login.
Fix: created AD user dortega (CN=Dwayne Ortega, OU=Domain Users) on SIF-SERVER via GuruRMM
-EncodedCommand dispatch, enabled, Domain Users only, matching the client's
first-initial+surname convention. Set a temp password with ChangePasswordAtLogon; verified
pwdLastSet=0. Temp credential vaulted to clients/sif-oidak/ad-users.sops.yaml (never posted to
chat/ticket). Laptop agent UUIDs found stale in this article and corrected.
2026-07-09 — jalbert could not add the SHARP UD3 printer (error 740)
Joshua Albert hit error 740 (ERROR_ELEVATION_REQUIRED) adding \\SIF-SERVER\SHARP UD3 PCL6.
PrintService/Admin event 600 confirmed Error code= 800702e4 on three attempts. Root cause: the
post-KB5005652 default RestrictDriverInstallationToAdministrators=1 blocks non-admin print-driver
installs, and the UAC prompt for the driver install never surfaced to the user, so it presented
as a bare error. Howard installed the printer himself with admin rights; no remote change was made.
Investigation also surfaced a GPO pushing the MX-6240N queue from the wrong server (event 513).
Also established this session: the tenant has no Exchange mailboxes (O365_BUSINESS =
Apps-for-business, EXCHANGE_S_FOUNDATION stub; all users mail: null, no proxyAddresses), and
email for sifoidak.com is hosted at GoDaddy. Mike set a standing rule that new Sif-oidak users get
both an AD account and an M365 account. The related request to drop onmicrosoft.com from
usernames was investigated and closed the same day: it requires verifying sifoidak.com as a
custom Entra domain via a DNS TXT record, and Mike confirmed ACG has no registrar access to the
GoDaddy account. UPNs stay as-is. See the Onboarding Runbook.
Backlinks
- (none yet)