Generate Transfer Token

To generate a transfer token for a Microsoft 365 (M365) domain (often used when transferring a domain between Microsoft tenants), you’ll typically follow this process from the source tenant using PowerShell or the Microsoft admin center.

Generate a Transfer Token in Microsoft 365

Pre-requisites:

You must be a Global Administrator in the source tenant (where the domain currently resides).
You need to install and use the Microsoft Graph PowerShell SDK (or the legacy MSOnline module for older environments).

Using Microsoft Graph PowerShell (Recommended)

Install Microsoft Graph PowerShell SDK (if not installed):

Install-Module Microsoft.Graph -Scope CurrentUser

Connect to Graph:

Connect-MgGraph -Scopes "Domain.ReadWrite.All", "Directory.AccessAsUser.All"

You will be prompted to log in as a Global Admin.

Generate the transfer token:

$domainName = "yourdomain.com"
$token = New-MgDomainTransferToken -DomainId $domainName
$token.Value

This will generate a token string that you can copy and paste into the target tenant to initiate domain takeover.

Where to Use the Token

In the target tenant, when you attempt to add the domain via the Microsoft 365 Admin Center, you'll be prompted to enter this transfer token to verify domain ownership.

Important Notes:

The token is valid for only 7 days.
Do not remove the domain from the source tenant until the transfer is completed.
The domain must not have any associated services (like email, Teams, etc.) actively using it when transferring.

Use the Transfer Token in the Target Tenant

Step 1: Sign into the Microsoft 365 Admin Center of the target tenant

Go to https://admin.microsoft.com
Use Global Admin credentials for the target Microsoft 365 tenant

Step 2: Add the domain using the token

In the left sidebar, go to: Settings → Domains → Click “Add domain”
Enter the domain name you want to transfer (e.g., yourdomain.com)
The system will detect that the domain is in use elsewhere and prompt:
"This domain is already being used in another tenant. You can request a transfer using a transfer token."
You'll be asked: "Do you have a transfer token?"
- Click “Yes”
- Paste the transfer token you got from the source tenant PowerShell
Microsoft will now validate the token.
- If valid, the domain will be queued for transfer.
- Microsoft will release the domain from the old tenant and bind it to the new one.

Step 3: Wait for the transfer to complete

This can take anywhere from a few minutes to several hours depending on DNS propagation and Microsoft’s backend checks.
You'll receive confirmation once the domain has been successfully added to the new tenant.

Important Final Checks

Do NOT remove the domain from the source tenant manually. Microsoft will handle this during the transfer.
Ensure no active users, groups, or services (Exchange, Teams, etc.) are bound to that domain in the source tenant, or the transfer will fail.
Once transferred, you may need to re-verify DNS records on your registrar for the target tenant.

REFERENCES

https://learn.microsoft.com/en-us/microsoft-365/admin/get-help-with-domains/transfer-a-domain-from-microsoft-to-another-host?view=o365-worldwide

PreviousGrant Export Permission in M365 Compliance Center NextCreate Redirect Rule for Specific Mail ID

Last updated 3 months ago

Was this helpful?