This post was most recently updated on July 28th, 2022.

4 min read.

Rogue Azure Active Directories don’t sound like a huge and widespread problem, but Microsoft’s approach of generating unmanaged, viral AAD tenants whenever they encounter the tiniest reason to do so MUST be driven by some weird internal scorecard where “number of tenants” has a lot of weight, because you do get an Azure AD tenant really easily, and getting rid of one is surprisingly laborious. This guide aims to explain what’s the quickest way to remove one.

Background

Table of Contents

Unmanaged directories can be troublesome because they are just that – unmanaged. And one can get created for your Xbox live account, and the next time you’re trying to buy more vbucks in Fortnite, instead of a credit card number, you’re asked to input the MFA code from Microsoft Authenticator – the only problem being, you have never configured MFA for your account (don’t worry – I know you’re better than that! – But for the sake of argument, let’s suppose that you’re not) and have no idea where you might get a code.

That’s what viral AAD will do to you. Well, that and Azure Active Directory Security Defaults. But let’s not go there. That’s a rabbit hole for another time, and perhaps for someone else to write about.

So how do you get your account to be managed by an unmanaged Azure Active Directory tenant? How does your private, personal Xbox live/OneDrive/Teams Personal account get infected by a viral directory, hampering down your access forever?

Mine got created when I activated a Microsoft Learn sandbox environment. Oh, the regrets an ill-advised decision made in a heat of the moment can cause, right?

Anyway – this guide will – well – guide you through the process of first taking over, and then (optionally) deleting the Azure Active Directory tenant.

“Shoot yourself in the foot: 101”

Long story short, I ended up having (at least) 2 accounts with the same email address, and Microsoft was having a hard time telling them apart. This meant that any time I wanted to log in to Azure, SharePoint, Microsoft Learn, XBOX Live, or other services, I’d see something like this:

Leading to this:

And causing all kinds of funkiness – like Microsoft Teams constantly logging you out, Azure Portal asking for an MFA prompt every time you navigate anywhere, or adding a OneDrive account to your machine failing.

The most annoying part is that after 14 days the unmanaged account really DOES start managing your account by trying to enforce MFA on you. If you never use it, it doesn’t matter – but if you want to remove the account after 14 days, you’ll FIRST need to configure MFA to do that.

That adds even more steps to the already lengthy (~20 steps, taking 10-15 minutes) guide below. Although, a lot of the steps could be automated using PowerShell – if Microsoft Learn doesn’t find a proper way to manage the sandboxes, I’ll probably have to create an auto-purge PowerShell script for this.

Solution

So let’s jump to the actual steps on taking over and removing the viral, rogue AAD tenant, right?

Time needed: 30 minutes

How to take over and kill an unmanaged AAD tenant?

Create a new user context
The easiest way to do that is probably by signing up for a free trial of PowerBI. You can do that below:
https://app.powerbi.com/signupredirect?pbi_source=web

Why is this required?

Even if you log in to your account in Azure, for whatever reason, it doesn’t have access to the Admin takeover site unless you get in through PowerBI or such. Something to do with your user context?
Enter your user account
Sign in
Click “Start” to sell your soul (no worries – it’s only temporary!)

After this, you might need to click “next”, “yes”, “skip” and “accept” a few times, but you’ll be fine.
Navigate to tenant administration
Hit the waffle menu to bring up “Admin”.
Start the takeover
Verify your domain ownership
This needs to be done to prove you actually do own the domain for which you’re trying to perform the takeover.

Now, my website’s DNS is managed by Cloudflare. You might be using some other provider – but let’s take a really quick look at how to modify the records on Cloudflare.
Modify your DNS records
Log in to your nameserver provider and find the DNS configuration. Below is shown for Cloudflare.
Add the TXT record
Just copy-paste the values from the “Admin takeover” page.
Success!
Great! Now we’re the admin for this tenant.

Let’s proceed by clicking “Ok”
(Optional) Let’s delete this sucker!
If you’re fine with just taking over an unmanaged tenant, then you can call it a day. But if you actually wanted to get rid of this rogue directory, let’s continue our cleanup!

First, you need to navigate to Billing > Your Products
Remove your products
Remove each product or subscription
If it asks you for confirmation, just hit “yes”, “ok”, “sure, whatever”, or whichever option you think will let you actually kill off the products that are blocking you from removing this rogue tenant.
Navigate to Azure Active Directory Admin Center
Delete tenant
Select “Azure Active Directory” and then “Delete tenant”:
You should now be able to remove your tenant

If you get an error about lacking permissions to access some Azure Resources, see this.
And you’re done!

Possible issues

As usual, there are a few pitfalls you might fall into. Let’s take a quick look and see what’s what!

Deletion is impossible due to missing Azure permissions

Hit “Get permission to delete all Azure resources”, or go to your Azure Active Directory instance’s properties and select this:

How to enable access to Azure subscription from Azure AD?

Then hit “Save”.

Deletion is impossible due to licenses or Microsoft 365 self-signup products

If at the tenant deletion you get this kind of a view:

… I don’t think you followed my guide closely enough. You missed the step where you needed to remove products.

Go back to Admin Center > Billing > My Products, and remove all of the products/subscriptions.

Any other issues you might run into – just let me know in the comments -section below!

References

A convoluted and long rant that almost explains what you need to do:
- https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-admin-takeover
A shorter and more useful guide (just with outdated instructions):
- https://docs.microsoft.com/en-us/microsoft-365/admin/misc/become-the-admin?view=o365-worldwide

Author
Recent Posts

Antti K. Koskela

Developer / Speaker / Consultant at Koskila / Precio Fishbone / Norppandalotti Software Co / Alter - Experience Ideas Ltd

Antti Koskela is a proud digital native nomadic millennial full stack developer (is that enough funny buzzwords? That's definitely enough funny buzzwords!), who works as Solutions Architect for Precio Fishbone, building delightful Digital Workplaces.

He's been a developer from 2004 (starting with PHP and Java), and he's been working on .NET projects, Azure, Office 365, SharePoint and a lot of other stuff. He's also Microsoft MVP for Azure.

This is his personal professional (e.g. professional, but definitely personal) blog.

Latest posts by Antti K. Koskela (see all)

CSOM suddenly throwing exceptions when trying to access list contents in SharePoint? A weird fix. - April 2, 2024
“Predefined type ‘System.Object’ is not defined or imported” and other System namespace stuff missing in your solution? - March 26, 2024
How to import GraphQL schema to Postman in Windows? - March 19, 2024

5 3 votes

Article Rating

#SharePointProblems

Solutions are worthless unless shared! Antti K. Koskela's Personal Professional Blog

Guide: How to take over and kill a viral AAD tenant?