"1007 AccessDenied" error when you try to delete the federation trust in an Exchange organization

Kehtib: Exchange Server 2016 Enterprise EditionExchange Server 2016 Standard EditionExchange Server 2013 Enterprise

Symptoms


This issue occurs if your Exchange organization's federation certificate has expired. When this issue occurs, you receive an error message that resembles the following:
The URI "contoso.com" for domain "contoso.com" on application identifier "xxxxxxxxxxxxxxxx" couldn't be released. Detailed information: "An unexpected result was received from Windows Live. Detailed information: "1007 AccessDenied: Access Denied.".".

Workaround


To work around this issue, use the -force parameter to delete the current federation trust. To do this, follow these steps:
  1. Identify your federated domains
    If you have multiple federated domain names, you'll have to determine which is your primary AccountNamespace.

    Run the following cmdlet in the Exchange Management Shell to identify the federated domains and AccountNamespace:
    Get-FederatedOrganizationIdentifier
    For example, if the AccountNamespace is set to FYDIBOHF25SPDLT.Contoso.com, Contoso.com is your primary Account Namespace. This will be the last domain to be removed.
  2. Remove the federated domains if more than one domain is federated
    Run the following cmdlet in the Exchange Management Shell to remove each federated domain:
    Remove-FederatedDomain -DomainName <your federated domain> -force
    For example: RemoveFederatedDomain -DomainName Contoso.com -force
  3. Remove the federated domain that's associated with yourAccountNameSpace
    Run the following cmdlet in the Exchange Management Shell to remove the federated domain that's associated with your AccountNameSpace:
    Remove-FederatedDomain -DomainName <your federated domain> -force
    For example: Remove-FederatedDomain -DomainName Contoso.com -force
  4. Remove the federation trust
    Run the following cmdlet in the Exchange Management Shell to remove the federation trust:
    Remove-FederationTrust "Microsoft Federation Gateway"

More Information


For more information about how to create a federation trust, see Configure a federation trust.