How to delete an Azure Active Directory (ADD) Tenant

You may have discovered that deleting an Azure Active Directory is a particularly frustrating experience that ultimately ends in failure. The new portal have improved things a bit, by running through a series of check before the delete button is enabled.

You may need to go back to the Classic portal (https://manage.windowsazure.com) to see some of the objects/resources to delete.

However, although this will help you remove ‘most’ of what you need to, unfortunately NOT all!

In this case I got a “Unable to delete directory

Clicking through on this Alert you may get something like “Tenant has enabled service principals“!

In the new portal, these should appear in the ‘Enterprise Applications’ …I think, but that didn’t happen for me. However, in the classic portal I did see two ‘Applications’ remaining (Office 365 Management APIs & Visual Studio Online), despite having never specified this myself. How they got there is another discussion. In my case, this was just a quick test of creating a B2C Active Directory, that had no additional actions taken other than creation.

B2C Applications

If you have created a B2C Active Directory and you are not able to delete the AD because it says there is a still a registered application, then you may need to remove the application from that blade in the portal first.

You may also need to do this if you try to remove any Registered Applications in PowerShell using something like (see Step 3 below)

Get-AzureADApplication | Remove-AzureADApplication

and you get the ‘Deletion of multi-tenant application is currently not supported.‘ error as below.

Remove-AzureADApplication : Error occurred while executing RemoveApplication 
StatusCode: BadRequest
ErrorCode: Request_BadRequest
Message: Deletion of multi-tenant application is currently not supported.
At line:1 char:26
+ Get-AzureADApplication | Remove-AzureADApplication
+                          ~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Remove-AzureADApplication], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.RemoveApplication

Walk-through of deleting the AAD Tenant

The first step is to ensure you have a ‘local’ Global Admin account in this tenant that you can leave as the only account. As this AD Tenant did not exist when you created it, you would have probably used either an Office 365 or Microsoft account to create it.

Step 1 – Add a ‘local’ Global Admin User

So, you need to Add a User. The easiest way is to use the Classic portal as this includes a more helpful dialog.

Make a note of the ‘onmicrosoft.com‘ username. Here I have called it deletethisaad@hmstrainb2c.onmicrosoft.com

Make sure you select ‘Global Admin‘ and enter an ‘Alternative Email Address’.

Then click ‘Create‘ and make a copy of the new password.

Step 2 – Login and change the password of the new ‘local’ user

You will now need to login as this new user and you will be forced to change the password. Best to use an ‘Incognito’/’InPrivate’ browser tab for this.

In your new ‘InPrivate’ tab go to https://portal.azure.com

 

Step 3 – Use PowerShell to remove all Principals

Unfortunately (if you don’t like coding!) you will need to use PowerShell to remove the Service Principals mentioned in the AAD Error Details.

Firstly make sure you have the AzureAD PowerShell module installed (this is the newer V2 cmdlets) . To do this I suggest using the ‘Windows PowerShell ISE‘ (make sure it’s NOT the ‘Windows PowerShell ISE (x86)’ if you’re on a 64-bit OS. This is because when you install the module it will be the one appropriate to your OS and things may fail). You will also need to run it as a local administrator using the ‘Run as administrator‘ (right-click on the shortcut) to successfully install the module.

To install the AzureAD Powershell module run the following

# Need to ensure install the module, Need to 'Run as administrator'
Install-Module AzureAD

Once installed, now run the following PowerShell commands (personally I would run them one by one just to be sure and check the responses). You will be prompted to enter the new password for the new account you just created.

# Log in to the AD Tenant with your new 'Local' account
$username ="{replace this with your new username}"
$adcred = Get-Credential -UserName $username -Message "Enter the password"
Connect-AzureAD -Credential $adcred 

#Confirm you have the correct Tenant
Get-AzureADTenantDetail | select DisplayName

#Get Service Principles
Get-AzureADServicePrincipal | select DisplayName

You may see a list like

# Delete the Principals
Get-AzureADServicePrincipal | Remove-AzureADServicePrincipal

# Check if any Service Principles are left
# Leave these if any as they may be mandatory!
Get-AzureADServicePrincipal | select DisplayName

You can do the same process for any registered applications too. Just substitute ‘ServicePrincipal‘ with ‘Application‘.

Step 4 – Remove the original User account

You can either do this from the portal or using PowerShell. Just make sure you get the right User account (not the one you have just created)! If using the portal you will need to login with the new account.

# List all user accounts
Get-AzureADUser

# Now make sure you can just select the original one. 
# Copy the display name from the previous command and use as a search string
Get-AzureADUser -SearchString "{replace with search term. e.g. DisplayName}"

#Get and delete a user
Get-AzureADUser -SearchString "{replace with search term. e.g. DisplayName}" | Remove-AzureADUser

#Check that you are left with just the new account
Get-AzureADUser
Step 5 – Delete the Azure Active Directory Tenant

Log into the portal (https://portal.azure.com) using the new account.

Go to Azure Active Directory > Overview and click Delete, as you probably did before!

Hopefully it will finally be gone without error! Do comment if you have any different experiences.

🙂

Azure
Attribution

I do owe a big thanks to Eric Golp whose blog entry I based this updated walk-through on. You can find the original at https://blogs.msdn.microsoft.com/ericgolpe/2015/04/30/walkthrough-of-deleting-an-azure-ad-tenant/

Save

Save

Save

Leave a Reply