This post was most recently updated on April 8th, 2021.4 min read.
Rogue Azure Active Directories don’t sound like a huge and widespread problem, but Microsoft’s approach of generating unmanaged, viral AAD tenants whenever they encounter the tiniest reason to do so MUST be driven by some weird internal scorecard where “number of tenants” has a lot of weight, because you do get an Azure AD tenant really easily, and getting rid of one is surprisingly laborious. This guide aims to explain what’s the quickest way to remove one.
Unmanaged directories can be troublesome because they are just that – unmanaged. And one can get created for your XBOX live account, and the next time you’re trying to buy more vbucks in Fortnite, instead of a credit card number, you’re asked to input the MFA code from Microsoft Authenticator – the only problem being, you have never configured MFA for your account (don’t worry – I know you’re better than that! But for the sake of an argument, let’s suppose you’re not) and have no idea where you might get a code.
That’s what viral AAD will do to you. Well, that and Azure Active Directory Security Defaults. But let’s not go there.
So how do you get your account to be managed by an unmanaged Azure Active Directory tenant? How does your private, personal XBox live/OneDrive/Teams Personal account get infected by a viral directory, hampering down your access forever?
Mine got created when I activated a Microsoft Learn sandbox environment. Oh, the regrets an ill-advised decision made in a heat of the moment can cause, right?
Anyway – this guide will – well – guide you through the process of first taking over, and then (optionally) deleting the Azure Active Directory tenant.
“Shoot yourself in the foot: 101”
Long story short, I ended up having (at least) 2 accounts with the same email address, and Microsoft was having a hard time telling them apart. This meant that any time I wanted to log in to Azure, SharePoint, Microsoft Learn, XBOX Live or other services, I’d see something like this:
Leading to this:
And causing all kinds of funkiness – like Microsoft Teams constantly logging you out, Azure Portal asking for an MFA prompt every time you navigate anywhere, or adding an OneDrive account to your machine failing.
The most annoying part is that after 14 days the unmanaged account really DOES start managing your account by trying to enforce MFA on you. If you never use it, it doesn’t matter – but if you want to remove the account after 14 days, you’ll FIRST need to configure MFA to do that.
That adds even more steps to the already lengthy (~20 steps, taking 10-15 minutes) guide below. Although, a lot of the steps could be automated using PowerShell – if Microsoft Learn don’t find a proper way to manage the sandboxes, I’ll probably have to create an auto-purge PowerShell script for this.
So let’s jump to the actual steps on taking over and removing the viral, rogue AAD tenant, right?
Time needed: 30 minutes.
How to take over and kill an unmanaged AAD tenant?
- Create a new user context
The easiest way to do that is probably by signing up for a free trial of PowerBI. You can do that below:
Why is this required?
Even if you log in to your account in Azure, for whatever reason, it doesn’t have access to Admin takeover site unless you get in through PowerBI or such. Something to do with your user context?
- Enter your user account
- Sign in
- Click “Start” to sell your soul (no worries – it’s only temporary!)
After this, you might need to click “next”, “yes”, “skip” and “accept” a few times, but you’ll be fine.
- Navigate to tenant administration
Hit the waffle menu to bring up “Admin”.
- Start the takeover
- Verify your domain ownership
This needs to be done to prove you actually do own the domain for which you’re trying to perform the takeover.
Now, my website’s DNS is managed by Cloudflare. You might be using some other provider – but let’s take a really quick look at how to modify the records on Cloudflare.
- Modify your DNS records
Log in to your nameserver provider and find the DNS configuration. Below shown for Cloudflare.
- Add the TXT record
Just copy-paste the values from the “Admin takeover” page.
Great! Now we’re the admin for this tenant.
Let’s proceed by clicking “Ok”
- (Optional) Let’s delete this sucker!
If you’re fine with just taking over an unmanaged tenant, then you can call it a day. But if you actually wanted to get rid of this rogue directory, let’s continue our cleanup!
First, you need to navigate to Billing > Your Products
- Remove your products
- Remove each product or subscription
If it asks you for confirmation, just hit “yes”, “ok”, “sure, whatever”, or whichever option you think will let you actually kill off the products that are blocking you from removing this rogue tenant.
- Navigate to Azure Active Directory Admin Center
- Delete tenant
Select “Azure Active Directory” and then “Delete tenant”:
- You should now be able to remove your tenant
If you get an error about lacking permissions to access some Azure Resources, see this.
- And you’re done!
As usual, there are a view pitfalls you might fall into.
Deletion is impossible due to missing Azure permissions
Hit “Get permission to delete all Azure resources”, or go to your Azure Active Directory instance’s properties and select this:
Then hit “Save”.
Deletion is impossible due to licenses or Microsoft 365 self-signup products
If at the tenant deletion you get this kind of a view:
… I don’t think you followed my guide closely enough. You missed the step where you needed to remove products.
Go back to Admin Center > Billing > My Products, and remove all of the products/subscriptions.
- A convoluted and long rant that almost explains what you need to do: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-admin-takeover
- A shorter and more useful guide (just with outdated instructions): https://docs.microsoft.com/en-us/microsoft-365/admin/misc/become-the-admin?view=o365-worldwide