[GH-ISSUE #1643] Domain moved to other tenant is applying standards of both tenants. #885

New issue

Closed

opened 2026-03-02 12:46:02 +03:00 by kerem · 3 comments

kerem commented 2026-03-02 12:46:02 +03:00

Owner

Copy link

Originally created by @mpowelltech on GitHub (Jul 24, 2023).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/1643

Description

Have a bit of a weird one here.

Background
We had 2 M365 tenants for a client and their subsidary, both in CIPP, let's call them contoso.com and contososub.com.

We initially setup contososub.com as a new tenant, setup GDAP and configured a bunch of very restrictive standards in CIPP.
Then we decided to put the contososub.com domain in the contoso.com tenancy and shut down the new separate tenancy.

However, the old contososub.com is still in CIPP as a separate tenant, but it seems to reference the contoso.com tenant.
So in CIPP, going to contoso.com > Users, we see all the contoso.com users and all the contososub.com users as well (expected). But if in CIPP we go to contososub.com > Users, it lists the same users.

The bigger issue is that all the restrictive standards policies we setup for the new contososub.com domain in their new tenant have now started applying to the existing contoso.com tenant, despite only being applied to the (now non-exisitent) contososub.com tenant in CIPP.

I imagine this is related to scripts that are all referencing the domain name (and not something like the tenant ID instead), so when we moved the domain name to the new tenant, the standards started applying there instead.

Suspect it's a pretty rare issue, and at this point our fix is simply removing all stadards applied to contososub.com, and we'll figure out how to best remove the tenant from CIPP, but just thought I'd raise it as an issue, in case there is a better way to reference the tenant ID (which will stay with a tenant) instead of domain names (which are very occasionally moved to a different tenant).

Steps to reproduce:

1. Create a new tenant (TenantB) with default domain of contososub.com and add it to GDAP/CIPP
2. Create standards for TenantB (contososub.com) in CIPP
3. Remove contososub.com domain from TenantB tenant and add it to existing TenantA tenant.
4. Now any standards that are applied to TenantB will apply to TenantA instead.

Love your work!

Environment data

Sponsored / Non-sponsored instance: Non-sponsored
Front end version number: 3.8.0
Back end version number: 3.8.1
Tried Tenant Cache Clear: true
Tried Token Cache Clear: false

Originally created by @mpowelltech on GitHub (Jul 24, 2023). Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/1643 ### Description Have a bit of a weird one here. **Background** We had 2 M365 tenants for a client and their subsidary, both in CIPP, let's call them contoso.com and contososub.com. We initially setup contososub.com as a new tenant, setup GDAP and configured a bunch of very restrictive standards in CIPP. Then we decided to put the contososub.com domain in the contoso.com tenancy and shut down the new separate tenancy. However, the old contososub.com is still in CIPP as a separate tenant, but it seems to reference the contoso.com tenant. So in CIPP, going to contoso.com > Users, we see all the contoso.com users and all the contososub.com users as well (expected). But if in CIPP we go to contososub.com > Users, it lists the same users. The bigger issue is that all the restrictive standards policies we setup for the new contososub.com domain in their new tenant have now started applying to the existing contoso.com tenant, despite only being applied to the (now non-exisitent) contososub.com tenant in CIPP. I imagine this is related to scripts that are all referencing the domain name (and not something like the tenant ID instead), so when we moved the domain name to the new tenant, the standards started applying there instead. Suspect it's a pretty rare issue, and at this point our fix is simply removing all stadards applied to contososub.com, and we'll figure out how to best remove the tenant from CIPP, but just thought I'd raise it as an issue, in case there is a better way to reference the tenant ID (which will stay with a tenant) instead of domain names (which are very occasionally moved to a different tenant). **Steps to reproduce:** 1. Create a new tenant (TenantB) with default domain of contososub.com and add it to GDAP/CIPP 2. Create standards for TenantB (contososub.com) in CIPP 3. Remove contososub.com domain from TenantB tenant and add it to existing TenantA tenant. 4. Now any standards that are applied to TenantB will apply to TenantA instead. Love your work! ### Environment data ```PowerShell Sponsored / Non-sponsored instance: Non-sponsored Front end version number: 3.8.0 Back end version number: 3.8.1 Tried Tenant Cache Clear: true Tried Token Cache Clear: false ```

kerem 2026-03-02 12:46:02 +03:00

• closed this issue
• added the
  bug
  unconfirmed-by-user
  labels

kerem commented 2026-03-02 12:46:03 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Jul 24, 2023):

Thank you for creating a bug. Please make sure your bug is indeed a unique case by checking current and past issues, and reading the complete documentation at https://docs.cipp.app/
If your bug is a known documentation issue, it will be closed without notice by a contributor. To confirm that this is not a bug found in the documentation, please copy and paste the following comment: "I confirm that I have checked the documentation thoroughly and believe this to be an actual bug.".

Without confirming, your report will be closed in 24 hours. If you'd like this bug to be assigned to you, please comment "I would like to work on this please!".

<!-- gh-comment-id:1647380209 --> @github-actions[bot] commented on GitHub (Jul 24, 2023): Thank you for creating a bug. Please make sure your bug is indeed a unique case by checking current and past issues, and reading the complete documentation at https://docs.cipp.app/ If your bug is a known documentation issue, it will be closed without notice by a contributor. To confirm that this is not a bug found in the documentation, please copy and paste the following comment: "I confirm that I have checked the documentation thoroughly and believe this to be an actual bug.". Without confirming, your report will be closed in 24 hours. If you'd like this bug to be assigned to you, please comment "I would like to work on this please!".

kerem commented 2026-03-02 12:46:03 +03:00

Author

Owner

Copy link

@mpowelltech commented on GitHub (Jul 24, 2023):

I confirm that I have checked the documentation thoroughly and believe this to be an actual bug.

<!-- gh-comment-id:1647382320 --> @mpowelltech commented on GitHub (Jul 24, 2023): I confirm that I have checked the documentation thoroughly and believe this to be an actual bug.

kerem commented 2026-03-02 12:46:03 +03:00

Author

Owner

Copy link

@KelvinTegelaar commented on GitHub (Jul 24, 2023):

currently not accepting bug reports/feature requests by non-sponsors due to CIPP workload. Feel free to sponsor and request a reopen.

<!-- gh-comment-id:1647384146 --> @KelvinTegelaar commented on GitHub (Jul 24, 2023): currently not accepting bug reports/feature requests by non-sponsors due to CIPP workload. Feel free to sponsor and request a reopen.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

docs

dev

dependabot/npm_and_yarn/dev/uiw/react-json-view-2.0.0-alpha.42

dependabot/npm_and_yarn/dev/tanstack/react-query-persist-client-5.96.2

dependabot/npm_and_yarn/dev/mui-tiptap-1.30.0

dependabot/npm_and_yarn/dev/tanstack/react-query-devtools-5.96.2

dependabot/npm_and_yarn/dev/recharts-3.8.1

dependabot/github_actions/dev/actions/setup-node-6.4.0

copilot/add-alert-for-report-only-ca

release/beta

release/nightly

docs-maintenance

v10.4.0

v10.3.0

v10.2.0

v10.1.0

v10.0.0

v8.8.0

v8.7.0

v8.6.0

v8.5.0

v8.4.0

v8.3.0

v8.2.0

v8.1.0

v8.0.0

v7.5.0

v7.4.0

v7.3.0

v7.2.0

v7.1.0

v7.0.1

v6.4.0

v6.3.0

v6.2.0

v6.1.0

v6.0.0

v5.9.0

v5.8.5

v5.8.0

v5.7.0

v5.6.0

v5.5.0

v5.4.0

v5.3.0

v5.2.0

v5.1.0

v5.0.0

v4.9.0

v4.8.0

v4.7.0

v.4.6.0

v4.5.0

v4.4.0

v4.3.0

v4.2.0

v4.1.0

v4.0.0

v3.8.0

v3.7.0

v3.6.0

v3.5.0

v3.4.0

v3.3.0

v3.2.0

v3.1.0

v3.0.0

v2.20.0

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.13.0

v2.12.0

v2.11.2

v2.1.11.0

v.2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.0

v2.5.5

v2.5.0

v2.4.0

v.2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

2.0.0

v1.5.1

v1.5.0

v1.4.3

v1.4.2

v1.4.0

v1.3.0

v1.2.1

v1.2.0

1.1.0

release

Labels

Clear labels   

API

  

Feature

  

NotABug

  

NotABug

  

Planned

  

Sponsor Priority

  

Sponsor Priority

  

bug

  

documentation

  

duplicate

  

enhancement

  

needs more info

  

no-activity

  

no-priority

  

not-assigned

  

pull-request

Mirrored from GitHub Pull Request

  

react-conversion

  

react-conversion

  

roadmap

  

security

  

stale

  

unconfirmed-by-user

  

unconfirmed-by-user

  

wontfix

No labels

API

Feature

NotABug

NotABug

Planned

Sponsor Priority

Sponsor Priority

bug

documentation

duplicate

enhancement

needs more info

no-activity

no-priority

not-assigned

pull-request

react-conversion

react-conversion

roadmap

security

stale

unconfirmed-by-user

unconfirmed-by-user

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/CIPP#885

No description provided.