"This is fine" - a fine meme, I mean.

Guide: How to take over and kill a viral AAD tenant?

This post was most recently updated on April 8th, 2021.

4 min read.

Rogue Azure Active Directories don’t sound like a huge and widespread problem, but Microsoft’s approach of generating unmanaged, viral AAD tenants whenever they encounter the tiniest reason to do so MUST be driven by some weird internal scorecard where “number of tenants” has a lot of weight, because you do get an Azure AD tenant really easily, and getting rid of one is surprisingly laborious. This guide aims to explain what’s the quickest way to remove one.

Background

Unmanaged directories can be troublesome because they are just that – unmanaged. And one can get created for your XBOX live account, and the next time you’re trying to buy more vbucks in Fortnite, instead of a credit card number, you’re asked to input the MFA code from Microsoft Authenticator – the only problem being, you have never configured MFA for your account (don’t worry – I know you’re better than that! But for the sake of an argument, let’s suppose you’re not) and have no idea where you might get a code.

That’s what viral AAD will do to you. Well, that and Azure Active Directory Security Defaults. But let’s not go there.

So how do you get your account to be managed by an unmanaged Azure Active Directory tenant? How does your private, personal XBox live/OneDrive/Teams Personal account get infected by a viral directory, hampering down your access forever?

Mine got created when I activated a Microsoft Learn sandbox environment. Oh, the regrets an ill-advised decision made in a heat of the moment can cause, right?

Anyway – this guide will – well – guide you through the process of first taking over, and then (optionally) deleting the Azure Active Directory tenant.

“Shoot yourself in the foot: 101”

Long story short, I ended up having (at least) 2 accounts with the same email address, and Microsoft was having a hard time telling them apart. This meant that any time I wanted to log in to Azure, SharePoint, Microsoft Learn, XBOX Live or other services, I’d see something like this:

Leading to this:

And causing all kinds of funkiness – like Microsoft Teams constantly logging you out, Azure Portal asking for an MFA prompt every time you navigate anywhere, or adding an OneDrive account to your machine failing.

The most annoying part is that after 14 days the unmanaged account really DOES start managing your account by trying to enforce MFA on you. If you never use it, it doesn’t matter – but if you want to remove the account after 14 days, you’ll FIRST need to configure MFA to do that.

That adds even more steps to the already lengthy (~20 steps, taking 10-15 minutes) guide below. Although, a lot of the steps could be automated using PowerShell – if Microsoft Learn don’t find a proper way to manage the sandboxes, I’ll probably have to create an auto-purge PowerShell script for this.

Solution

So let’s jump to the actual steps on taking over and removing the viral, rogue AAD tenant, right?

Time needed: 30 minutes.

How to take over and kill an unmanaged AAD tenant?

  1. Create a new user context

    The easiest way to do that is probably by signing up for a free trial of PowerBI. You can do that below:
    https://app.powerbi.com/signupredirect?pbi_source=web

    Why is this required?

    Even if you log in to your account in Azure, for whatever reason, it doesn’t have access to Admin takeover site unless you get in through PowerBI or such. Something to do with your user context?

    This image has an empty alt attribute; its file name is image-11-1024x404.png

  2. Enter your user account


    This image has an empty alt attribute; its file name is image-7.png

  3. Sign in


    This image has an empty alt attribute; its file name is image-8.png

  4. Click “Start” to sell your soul (no worries – it’s only temporary!)


    This image has an empty alt attribute; its file name is image-10.png

    After this, you might need to click “next”, “yes”, “skip” and “accept” a few times, but you’ll be fine.

  5. Navigate to tenant administration

    Hit the waffle menu to bring up “Admin”.

    This image has an empty alt attribute; its file name is image-9.png

  6. Start the takeover


    This image has an empty alt attribute; its file name is image-12-1024x320.png

  7. Verify your domain ownership

    This needs to be done to prove you actually do own the domain for which you’re trying to perform the takeover.

    This image has an empty alt attribute; its file name is image-13-1024x278.png

    Now, my website’s DNS is managed by Cloudflare. You might be using some other provider – but let’s take a really quick look at how to modify the records on Cloudflare.

  8. Modify your DNS records

    Log in to your nameserver provider and find the DNS configuration. Below shown for Cloudflare.
    This image has an empty alt attribute; its file name is image-14.png

  9. Add the TXT record

    Just copy-paste the values from the “Admin takeover” page.

    This image has an empty alt attribute; its file name is image-15.png

  10. Success!

    Great! Now we’re the admin for this tenant.

    This image has an empty alt attribute; its file name is image-16-1024x321.png

    Let’s proceed by clicking “Ok”

  11. (Optional) Let’s delete this sucker!

    If you’re fine with just taking over an unmanaged tenant, then you can call it a day. But if you actually wanted to get rid of this rogue directory, let’s continue our cleanup!

    First, you need to navigate to Billing > Your Products

  12. Remove your products

    This image has an empty alt attribute; its file name is image-21-1024x342.png

  13. Remove each product or subscription

    If it asks you for confirmation, just hit “yes”, “ok”, “sure, whatever”, or whichever option you think will let you actually kill off the products that are blocking you from removing this rogue tenant.

    This image has an empty alt attribute; its file name is image-22-1024x362.png

  14. Navigate to Azure Active Directory Admin Center

    This image has an empty alt attribute; its file name is image-17.png

  15. Delete tenant

    Select “Azure Active Directory” and then “Delete tenant”:

    This image has an empty alt attribute; its file name is image-18.png

  16. You should now be able to remove your tenant


    This image has an empty alt attribute; its file name is image-23.png

    If you get an error about lacking permissions to access some Azure Resources, see this.

  17. And you’re done!

    This image has an empty alt attribute; its file name is image-24.png

Possible issues

As usual, there are a view pitfalls you might fall into.

Deletion is impossible due to missing Azure permissions

Hit “Get permission to delete all Azure resources”, or go to your Azure Active Directory instance’s properties and select this:

Then hit “Save”.

Deletion is impossible due to licenses or Microsoft 365 self-signup products

If at the tenant deletion you get this kind of a view:

… I don’t think you followed my guide closely enough. You missed the step where you needed to remove products.

Go back to Admin Center > Billing > My Products, and remove all of the products/subscriptions.

References

mm
5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments