Deleting Azure Active Directory


If you’re like me, and I know I am, you have probably signed up for several Microsoft Online Services trials or just somehow ended up with multiple Azure AD instances associated with your Microsoft Azure subscription. Turns out they’re kind of hard to delete, but it’s not impossible. Here’s how.

Just because you don’t want the Azure AD instance around anymore doesn’t necessarily mean that your Azure subscription hasn’t become attached. If you try to just hit the delete button on your Azure AD instance, you’ll probably get something like this in return:

delete-1

So, as you can see, there’s some work to be done. Here’s how to kill off each of those without getting carpal tunnel syndrome deleting hundreds of user accounts and applications one at a time.

The first thing you need to do is connect to your Azure subscription using PowerShell. That might sound scary to some, but it’s pretty simple to do. There are two ways to do it depending on whether you want to automate the connection or log in interactively (and not type your password in a plain text script).

Either way, if you haven’t done this before you will want to install the Microsoft Online Services Sign-In Assistant from (http://go.microsoft.com/fwlink/?LinkID=286152) and the Azure AD PowerShell module (http://go.microsoft.com/fwlink/p/?linkid=236297) before continuing.

Ready to go? OK, if you want to automate all of this as much as possible, you can authenticate to Azure like this below (the admin account is probably the <name>@mydomain.onmicrosoft.com account that you used when you first created your AAD):

$User="<admin account for the AAD you want to delete>"
$Password="<Password>"
$SecurePassword = $Password | ConvertTo-SecureString -AsPlainText -Force
$msolcred = New-Object –TypeName System.Management.Automation.PSCredential ($User,$SecurePassword)
connect-msolservice -credential $msolcred

OR, if you don’t want someone to see your password and want to log in interactively, do this instead:

$msolcred = get-credential
connect-msolservice -credential $msolcred

Freshly authenticated, at the top of the list of offending items stopping you from deleting your Azure AD is users.

Yep, there they are. Hundreds of them. Let’s delete them.

users-1

You can only delete an Azure AD directory if you, the AAD admin, are the only user associated with it. After connecting to Azure with PowerShell, you can get a list of all users by running this command (choose the path and file name of your liking):

Get-MsolUser –All | Export-CSV C:\temp\users.csv

Bonus Tip: you can get groups like this too, but technically you don’t have to delete them to delete your Azure AD: Get-MsolGroup –All | Export-CSV C:\temp\groups.csv.

Open the recently exported users.csv file and look in the SignInName column (column AO in my exported .csv) to find the AAD admin account you're logged in as (probably something like admin@mydomainname.onmicrosoft.com). Delete that row to remove the user account (you) from the file and save it. Now that every user (except you) is listed in that .csv file, it’s time to import the file and delete everyone.

Say any final words you feel are appropriate and then run this command to recycle user account electrons:

Import-CSV C:\temp\users.csv | Remove-MsOlUser –Force

Bonus Tip #2: You can whack Azure AD groups like this too, but again, it’s not necessary to delete your AAD instance: Import-CSV C:\groups.csv | Remove-MsOlGroup –Force.

Altogether, it looks something like this:

ps1

Go grab a snack because it might be a few minutes depending on how many users you need to send to oblivion. After a bit, only the admin account you’re using to delete the directory should be present.

users-2

All users besides you gone? Check.

delete-2

Next on my hit list are the enterprise applications. Back in PowerShell, you need to run a few different commands. To see the list of applications blocking you from deleting your AAD instance, run this command:

Get-MsolServicePrincipal | Select Displayname

Some of the returned app names are required and can stay, but others, the ones users have added, have to go. Time to say good-bye:

Get-MsolServicePrincipal | Remove-MsolServicePrincipal

Haha you say, my screen is full of red errors! I know, I know, just ignore those and run that first command again to see who’s left…those are the ones you don’t have to (read: can’t) delete this way. See?

ps2

With enterprise applications gone, there's just one last thing blocking us from deleting this Azure AD instance: active Microsoft Online Services subscriptions.

delete-3

If you’ve only got Azure AD to delete, then you probably already have one of those coveted check marks and can just click Delete now and be done.

Me on the other hand, I’ve got this Azure AD instance intertwined with an Enterprise Mobility + Security E3 subscription…AKA another Microsoft Online Services subscription (could just as easily be Intune, Office 365, or Azure AD Premium). So, I can’t delete the Azure AD instance until the EMS subscription is taken care. Let’s go do that.

The easiest way (I think) to do this, is to log into the Office 365 portal (portal.office.com), and then go to Billing > Subscriptions. Under the “More actions” drop-down, select Cancel (or cancel trial in my case):

cancel-subscription

This will set your subscription to Disabled not deleted. You can’t delete it because subscriptions have a life cycle of their own. That’s OK though as once you remove your Microsoft Account from the directory you won’t see it in your Azure subscription's AAD directories list again unless you log in with the admin account you deleted everything with within 90 days of disabling the subscription.

subscription-lifecycle

When the subscription is deprovisioned (90 days from when you cancelled it), the Azure AD instance associated with it will also automatically be history.

Delete Azure AD. Done!


You’ve seen my blog; want to follow me on Twitter too? @JeffGilb.

Comments (0)

Skip to main content