This post was most recently updated on May 31st, 2021.
4 min read.This article explains how to fix your account, whenever it gets completely FUBAR due to your account being added as a guest in another AAD organization. And this might happen in multiple different situations – my most typical woe is Visual Studio’s Cloud Explorer, which stops showing me my subscriptions due to authentication against the other organizations failing. Add some extra difficulty by having someone in the other directory block your account from signing in, and you can’t even remove the account by any usual means!
Well, there’s a long background explanation about my case specifically, but please feel free to skip that. The actual meat of the matter is this: How to remove your account as a guest in another Azure AD tenant?
Background
Yeah, okay – this was the most frustrating issue I’ve had with Azure AD so far. Some time ago, a customer had invited me to their tenant with my work email to help them out with some configurations. Not knowing to be cautious, I accepted the invitation.
I investigated their situation, fixed their issues, logged out, probably blogged about the solution, and didn’t think any more about the situation.
6 months later, my Visual Studio Cloud Explorer stops showing me any resources. Instead, you’ll get an error somewhat like shown below:
Now, this should be an easy fix, right? I tried clicking “Reenter credentials”, and I was presented with…
Well, I can’t screenshot that here. Cloud Explorer actually wanted to authenticate against the customer environment before showing the subscriptions attached to my account in my own organization. The only thing you’d see would be the customer’s logo and login page.
… and just as luck would have it, the customer had locked my account in their Azure Active Directory. That blocks logging in – and removing the account.
What fun.
Long story short, I couldn’t log in, I couldn’t remove the account from the Cloud Explorer, and I couldn’t access my own Azure subscriptions!
The worst thing? The customer’s IT turned out to be fairly stubborn about this. They refused to remove the account citing compliance concerns.
At this point, the only thing our IT could do was to remove the account and recreate it. But that being my only work account would mean a bit of an unwanted clean slate for yours truly – I kind of wanted to keep my emails, file history, conversation history – you know the jazz.
I didn’t want to go about this, so I ended up not using Cloud Explorer until Microsoft finally published an User Interface for managing your guest access. Not a biggie – for deployments, I use Azure DevOps Pipelines anyway, and remote debugging is so painful I don’t mind avoiding it :)
Anyway, since we finally have a nice UI for leaving offending organizations in AAD, let’s document how to use it!
Solution
First we can try if just disabling authentication against any rogue directories would help you. That would be an easy win! But if it doesn’t, we’ll need to first nuke Visual Studio’s identity cache, then leave the organizations, and then re-login to your primary resources.
For my case, I started by nuking Visual Studio’s identity cache. That needed to be done first, as we need to make sure Visual Studio reacts to our changes immediately – but if your problem doesn’t concern Visual Studio at all, feel free to skip right to the how-to below.
The process to clear the cached credentials from Visual Studio has been described in detail in this article:
How to nuke the Identity Cache in Visual Studio?
The guide below will explain the rest of the steps (the ones directly related to Azure AD) in detail!
Time needed: 15 minutes
How to remove your account as a guest in another Azure AD tenant?
- Log in & find your account management
Firstly, navigate to this site:
https://myaccount.microsoft.com/organizations?leave=true
If you’re unable to access the page by clicking the link above, just click on your face after logging in to Azure Portal or Microsoft 365, and select “My account”, and then “Organizations”.
- Investigate and prune the organizations
At this point, you probably already know which of the organizations is giving you a hard time (Visual Studio is forcing you to try and authenticate, only for you to find out your account is blocked, at which point Visual Studio just gives up), so go ahead and remove it by clicking “Leave organization”.
- Make note of the AAD tenant guid before accepting
Just in case you need it, at this point in time the tenant id of the Azure AD instance you’re trying to leave, is shown in the url. It’s highlighted in purple below.
The id highlighted in red is your home tenant.
If you need to investigate each tenant (e.g. you can’t tell from the name whether it’s the tenant giving you trouble), you can craft a specific sign-in -request like below:
https://login.microsoftonline.com/the-guid-of-your-aad-instance/oauth2/authorize?response_type=token&client_id=08e18876-6177-487e-b8b5-cf950c1e598c&login_hint=username%40contoso.com&client-request-id=803b10e0-ff11-4515-b946-09d75459783a&x-client-SKU=Js&x-client-Ver=1.0.16&prompt=select_account
The client id in this request refers to an out-of-the-box extension in SharePoint Online – nothing nefarious, just one of the things that should exist on all of the tenants.
Entering this URL should bring up the organization-specific, often-branded login page, and you should finally figure out which Azure AD you’re trying to leave! - “Yes” + “next” + “confirm” + “accept” + “consent” + “yes please”
I don’t actually know how many times you have to click “yes” or “next”, but it might be quite a few times.
Depending on how your account has been configured, you might get an MFA-prompt or a SMS code to verify it’s really you trying to leave the organization.
Additionally, you might need to try multiple times (for me, leaving one of the organizations took a handful of tries over multiple months, but finally succeeded), but eventually, you should get an error (something about your account missing from the directory) – and then you’re good!
It’s mind-boggling, that Microsoft DIDN’T have the option to leave other directories until about a year ago, but now that they do, it works pretty well.
Did it help you? Let me know in the comments section below!
References
He's been a developer from 2004 (starting with PHP and Java), and he's been working on .NET projects, Azure, Office 365, SharePoint and a lot of other stuff. He's also Microsoft MVP for Azure.
This is his personal professional (e.g. professional, but definitely personal) blog.
- CSOM suddenly throwing exceptions when trying to access list contents in SharePoint? A weird fix. - April 2, 2024
- “Predefined type ‘System.Object’ is not defined or imported” and other System namespace stuff missing in your solution? - March 26, 2024
- How to import GraphQL schema to Postman in Windows? - March 19, 2024
