Have you ever tried deleting an Azure Active Directory Tenant? Sometimes you may need to do this if you have multiple test directories in your Azure tenant. Today I’m going to discuss one specific issue which had prevented me from deleting couple of test Azure AD tenants I had in my Azure subscription.
I’ve had two Azure AD tenants which I’ve deployed for testing and wanted to delete from my subscription. As for the preparations I deleted all users, groups and application in both directories except the default user (Microsoft Account). As soon as I hit DELETE it was prompting below error.
“Directory contains one or more applications that were added by a user or administrator.”
Now I was pretty much sure that I deleted all the SaaS applications from both directories but I went ahead and checked the application list just to be sure.
I can see one application called “Office 365 Management APIs” in the list which cannot be deleted and none of the directories were originated from Office 365 subscriptions.
I created a new global administrator user in each directory additional to the default Microsoft Account I had. (firstname.lastname@example.org). Then I signed into my Azure AD tenant using Azure AD PowerShell. Here I’ve used the Connect-MsolService cmdlet and used the credentials of the new admin account to sign in.
I’ve executed following cmdlet to remove all SaaS applications from Azure AD. Note that there may be failures because some of the applications simply can’t be removed from Azure AD but it shouldn’t be a problem to delete the particular Azure AD tenant.
Get-MsolServicePrincipal | Remove-MsolServicePrincipal
When I switched back to Azure portal after exiting the PowerShell Session I could still see the Office 365 Management APIs application, but I decided to delete the global administrator for each directory and hit the DELETE button. Guess what I could successfully remove both Azure AD tenants without any issue.
This TechNet article came in very handy to troubleshoot this issue and contains more of the deletion scenarios for an Azure AD tenant.
If you are just messing with Azure AD for testing sometimes you want to delete any directories that you created or subsequently on boarded (i.e Office 365). Have you ever faced a scenario where you cannot delete a directory? Let’s see why is that.
You can delete an Azure AD as long as it meets below prerequisites. This ensures that users will not impacted by such action.
There cannot be any active Multi-Factor Authentication Providers linked to the directory that you are going to delete.
You have to delete all the users except the global administrator of that directory prior you attempt to delete the directory itself. No need to delete any groups. You can refer my previous blog post on hoe to delete orphaned Azure AD accounts if you need any instructions.
All applications associated with that directory should be removed first. Remember if you have added an application from the Azure AD Application Gallery (i.e SalesForce) you cannot delete the directory at all. This is a current limitation on Azure AD which Microsoft promises a fix soon.
If your directory is associated with any of the Microsoft Online Services such as Office 365, Intune or Azure AD Premium you cannot delete the directory from the portal. This is chicken and egg problem since those services use that directory for authentication. If so badly wants to do that, you’ll have to contact Microsoft Support to get that done for you and it is a lengthy process.
So remember before you start cursing Azure Team, keep in mind these little tips. I for one personally want to get rid of Scenario 3 & 4 because sometime customers are doing mistakes for signing up for multiple identities with different Microsoft Online Services and later suffer from dilemma of deletion.
Deleting an Azure AD is irreversible. So think twice before you pull the plug.
If you have tried to delete any of Azure AD tenants that you have in your Azure subscription sometimes you just can’t do that. Let’s see why is that and how to successfully delete an AD tenant from Azure.
I have an Azure AD tenant that I wanted to delete in my subscription. This has AD Premium Trial (Expiring on March 2015) active in it.
When I try to delete the tenant it gives the below error message.
This is because I have an active Microsoft Online Services service associated with this directory. If you have,
- Office 365
- Microsoft Intune
- Azure RMS
enabled for your AD tenant, you’ll have to log in to Microsoft Cloud Support portal by visiting here and initiate a support request with the Microsoft Billing & Subscriptions team.
If you have Enterprise Mobility Suite (EMS) or Azure AD Premium enabled for the directory you want to delete (yes an active trial also counts) you’ll have to contact volume licensing partner to cancel that subscription. But if that’s a trial like mine again you’ll have to contact Office 365 support.
This is only one issue you can get when you try to delete an Azure AD Tenant. There are several other errors you can possibly get and you can find how to rectify same from this TechNet article.
Is anyone wondering how to remove orphaned local AD accounts that were synchronized to Azure AD using DirSync? Let’s see how we can achieve this with some simple steps and little bit of PowerShell.
Your on-premise AD DS server is no longer functional. That means loacl AD is dead.
When AD DS is no longer available you cannot remove any objects that has been synced to Azure AD. Usually if you want to deleted a synced object you should do that in local AD.
Let’s see how we rectify this issue.
When an account is orphaned you no longer see the Delete option.
- If you haven’t done already, install the Azure Active Directory Module for Windows PowerShell. You can find guidelines here.
- Open Windows Azure AD PowerShell & connect to your Azure AD tenant. If you do not know how to do that refer here.
- Remember for step 2 you cannot use the Microsoft Account associated with your Azure Subscription. You should authenticate using a global admin account for the particular azure AD tenant. Otherwise you’ll get an error like below.
- Disable DirSync using below PowerShell cmdlet. Note that it can take up to 72 hours to complete this operation depending the size f your directory.
Set-MsolDirSyncEnabled –EnableDirSync $false
- To verify DirSync has been fully disabled or not run below cmdlet. If it is disabled you should get a false value. This might take a while.
- Alternatively you can disabled Dirsync via Azure Portal as well. Select the directory > select DIRECTORY INTEGRATION > Select DEACTIVATED from Directory Synchronization section.
- Now you can see that orphaned account that were listed as local AD account are converted to Windows Azure AD accounts and the delete option is available.Assuming you want to delete the directory you can safely do that as well. But remember if you have subscribed into any Microsoft Online Service like Office 365, Azure AD Premium, Intune etc… you cannot delete the directory and currently it’s a limitation in Azure AD.