"This is fine" - a fine meme, I mean.

Guide: How to take over and kill a viral AAD tenant?

This post was most recently updated on July 28th, 2022.

4 min read.

Rogue Azure Active Directories don’t sound like a huge and widespread problem, but Microsoft’s approach of generating unmanaged, viral AAD tenants whenever they encounter the tiniest reason to do so MUST be driven by some weird internal scorecard where “number of tenants” has a lot of weight, because you do get an Azure AD tenant really easily, and getting rid of one is surprisingly laborious. This guide aims to explain what’s the quickest way to remove one.

Background

Unmanaged directories can be troublesome because they are just that – unmanaged. And one can get created for your Xbox live account, and the next time you’re trying to buy more vbucks in Fortnite, instead of a credit card number, you’re asked to input the MFA code from Microsoft Authenticator – the only problem being, you have never configured MFA for your account (don’t worry – I know you’re better than that! – But for the sake of argument, let’s suppose that you’re not) and have no idea where you might get a code.

That’s what viral AAD will do to you. Well, that and Azure Active Directory Security Defaults. But let’s not go there. That’s a rabbit hole for another time, and perhaps for someone else to write about.

So how do you get your account to be managed by an unmanaged Azure Active Directory tenant? How does your private, personal Xbox live/OneDrive/Teams Personal account get infected by a viral directory, hampering down your access forever?

Mine got created when I activated a Microsoft Learn sandbox environment. Oh, the regrets an ill-advised decision made in a heat of the moment can cause, right?

Anyway – this guide will – well – guide you through the process of first taking over, and then (optionally) deleting the Azure Active Directory tenant.

“Shoot yourself in the foot: 101”

Long story short, I ended up having (at least) 2 accounts with the same email address, and Microsoft was having a hard time telling them apart. This meant that any time I wanted to log in to Azure, SharePoint, Microsoft Learn, XBOX Live, or other services, I’d see something like this:

Leading to this:

And causing all kinds of funkiness – like Microsoft Teams constantly logging you out, Azure Portal asking for an MFA prompt every time you navigate anywhere, or adding a OneDrive account to your machine failing.

The most annoying part is that after 14 days the unmanaged account really DOES start managing your account by trying to enforce MFA on you. If you never use it, it doesn’t matter – but if you want to remove the account after 14 days, you’ll FIRST need to configure MFA to do that.

That adds even more steps to the already lengthy (~20 steps, taking 10-15 minutes) guide below. Although, a lot of the steps could be automated using PowerShell – if Microsoft Learn doesn’t find a proper way to manage the sandboxes, I’ll probably have to create an auto-purge PowerShell script for this.

Solution

So let’s jump to the actual steps on taking over and removing the viral, rogue AAD tenant, right?

Time needed: 30 minutes

How to take over and kill an unmanaged AAD tenant?

  1. Create a new user context

    The easiest way to do that is probably by signing up for a free trial of PowerBI. You can do that below:
    https://app.powerbi.com/signupredirect?pbi_source=web

    Why is this required?

    Even if you log in to your account in Azure, for whatever reason, it doesn’t have access to the Admin takeover site unless you get in through PowerBI or such. Something to do with your user context?

  2. Enter your user account


  3. Sign in



  4. Click “Start” to sell your soul (no worries – it’s only temporary!)




    After this, you might need to click “next”, “yes”, “skip” and “accept” a few times, but you’ll be fine.

  5. Navigate to tenant administration

    Hit the waffle menu to bring up “Admin”.


  6. Start the takeover




  7. Verify your domain ownership

    This needs to be done to prove you actually do own the domain for which you’re trying to perform the takeover.



    Now, my website’s DNS is managed by Cloudflare. You might be using some other provider – but let’s take a really quick look at how to modify the records on Cloudflare.

  8. Modify your DNS records

    Log in to your nameserver provider and find the DNS configuration. Below is shown for Cloudflare.

  9. Add the TXT record

    Just copy-paste the values from the “Admin takeover” page.

  10. Success!

    Great! Now we’re the admin for this tenant.



    Let’s proceed by clicking “Ok”

  11. (Optional) Let’s delete this sucker!

    If you’re fine with just taking over an unmanaged tenant, then you can call it a day. But if you actually wanted to get rid of this rogue directory, let’s continue our cleanup!

    First, you need to navigate to Billing > Your Products

  12. Remove your products

  13. Remove each product or subscription

    If it asks you for confirmation, just hit “yes”, “ok”, “sure, whatever”, or whichever option you think will let you actually kill off the products that are blocking you from removing this rogue tenant.


  14. Navigate to Azure Active Directory Admin Center

  15. Delete tenant

    Select “Azure Active Directory” and then “Delete tenant”:

  16. You should now be able to remove your tenant




    If you get an error about lacking permissions to access some Azure Resources, see this.

  17. And you’re done!



Possible issues

As usual, there are a few pitfalls you might fall into. Let’s take a quick look and see what’s what!

Deletion is impossible due to missing Azure permissions

Hit “Get permission to delete all Azure resources”, or go to your Azure Active Directory instance’s properties and select this:

How to enable access to Azure subscription from Azure AD?
How to enable access to Azure subscription from Azure AD?

Then hit “Save”.

Deletion is impossible due to licenses or Microsoft 365 self-signup products

If at the tenant deletion you get this kind of a view:

"Deletion is impossible due to licenses or Microsoft 365 self-signup products" leads you to this view
“Deletion is impossible due to licenses or Microsoft 365 self-sign up products” leads you to this view

… I don’t think you followed my guide closely enough. You missed the step where you needed to remove products.

Go back to Admin Center > Billing > My Products, and remove all of the products/subscriptions.


Any other issues you might run into – just let me know in the comments -section below!

References

mm
5 3 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
most voted
newest oldest
Inline Feedbacks
View all comments