This article explains how to fix your account, whenever it gets completely FUBAR due to your account being added as a guest in another AAD organization. And this might happen in multiple different situations – my most typical woe is Visual Studio’s Cloud Explorer, which stops showing me my subscriptions due to authentication against the other organizations failing. Add some extra difficulty by having someone in the other directory block your account from signing in, and you can’t even remove the account by any usual means!
Well, there’s a long background explanation about my case specifically, but please feel free to skip that. The actual meat of the matter is this: How to remove your account as a guest in another Azure AD tenant?
Yeah, okay – this was the most frustrating issue I’ve had with Azure AD so far. Some time ago, a customer had invited me to their tenant with my work email to help them out with some configurations. Not knowing to be cautious, I accepted the invitation.
I investigated their situation, fixed their issues, logged out, probably blogged about the solution, and didn’t think any more about the situation.
6 months later, my Visual Studio Cloud Explorer stops showing me any resources. Instead, you’ll get an error somewhat like shown below:
Now, this should be an easy fix, right? I tried clicking “Reenter credentials”, and I was presented with…
Well, I can’t screenshot that here. Cloud Explorer actually wanted to authenticate against the customer environment before showing the subscriptions attached to my account in my own organization. The only thing you’d see would be the customer’s logo and login page.
… and just as luck would have it, the customer had locked my account in their Azure Active Directory. That blocks logging in – and removing the account.
Long story short, I couldn’t log in, I couldn’t remove the account from the Cloud Explorer, and I couldn’t access my own Azure subscriptions!
The worst thing? The customer’s IT turned out to be fairly stubborn about this. They refused to remove the account citing compliance concerns.
At this point, the only thing our IT could do was to remove the account and recreate it. But that being my only work account would mean a bit of an unwanted clean slate for yours truly – I kind of wanted to keep my emails, file history, conversation history – you know the jazz.
I didn’t want to go about this, so I ended up not using Cloud Explorer until Microsoft finally published an User Interface for managing your guest access. Not a biggie – for deployments, I use Azure DevOps Pipelines anyway, and remote debugging is so painful I don’t mind avoiding it :)
Anyway, since we finally have a nice UI for leaving offending organizations in AAD, let’s document how to use it!
First we can try if just disabling authentication against any rogue directories would help you. That would be an easy win! But if it doesn’t, we’ll need to first nuke Visual Studio’s identity cache, then leave the organizations, and then re-login to your primary resources.
The guide below will explain these steps in detail!
Time needed: 15 minutes.
How to leave an Azure Active Directory tenant as a guest?
- Log in & find your account management
Firstly, navigate to this site:
If you’re unable to access the page by clicking the link above, just click on your face after logging in to Azure Portal or Microsoft 365, and select “My account”, and then “Organizations”.
- Investigate and prune the organizations
At this point, you probably already know which of the organizations is giving you a hard time (Visual Studio is forcing you to try and authenticate, only for you to find out your account is blocked, at which point Visual Studio just gives up), so go ahead and remove it by clicking “Leave organization”.
- Make note of the AAD tenant guid before accepting
Just in case you need it, at this point in time the tenant id of the Azure AD instance you’re trying to leave, is shown in the url. It’s highlighted in purple below.
The id highlighted in red is your home tenant.
If you need to investigate each tenant (e.g. you can’t tell from the name whether it’s the tenant giving you trouble), you can craft a specific sign-in -request like below:
The client id in this request refers to an out-of-the-box extension in SharePoint Online – nothing nefarious, just one of the things that should exist on all of the tenants.
Entering this URL should bring up the organization-specific, often-branded login page, and you should finally figure out which Azure AD you’re trying to leave!
- “Yes” + “next” + “confirm” + “accept” + “consent” + “yes please”
I don’t actually know how many times you have to click “yes” or “next”, but it might be quite a few times.
Depending on how your account has been configured, you might get an MFA-prompt or a SMS code to verify it’s really you trying to leave the organization.
Additionally, you might need to try multiple times (for me, leaving one of the organizations took a handful of tries over multiple months, but finally succeeded), but eventually, you should get an error (something about your account missing from the directory) – and then you’re good!
It’s mind-boggling, that Microsoft DIDN’T have the option to leave other directories until about a year ago, but now that they do, it works pretty well.
Did it help you? Let me know in the comments section below!
- (Literally) Breaking: Changes to app authentication on SharePoint! 😵 - September 21, 2020
- How to remove your account as a guest in another Azure AD tenant? - September 16, 2020
- Is Lifetime Spotify Premium a scam? - September 10, 2020