How to delete an Azure Active Directory connected to Microsoft Online Services
You are unable to delete an Azure Active Directory (AAD) with error message: "Directory has one or more subscriptions to Microsoft Online Services." In that case it is not possible to delete the directory through the Azure Management Portal. There are two options: a) (a workaround) disconnect the AAD from your account and b) contact support and let the associated domain deleted (not an easy process).
What's the problem?
In my job role as Technical Evangelist for Microsoft Azure I demonstrate Azure a lot and create a lot of AADs, of course in combination with Azure Active Directory Premium. And that's the reason why I can't delete my directories.
If you try, you get the following error message:
If you have one of the following subscriptions connected to your AAD, then you cannot delete the AAD through the Azure Management Portal.
- Office 365
- Azure Rights Management
- Azure Active Directory Premium
What's the solution?
As stated in the KB article 2967860 (You can’t delete a directory through the Azure Management Portal) you have to call the support. The reason is, with your AAD is connected a sub domain XXX.onmicrosoft.com. And that is not an easy task to delete that sub domain. If you really need that sub domain delete you have to contact the support.
There is an easy workaround if you just want the AAD disconnected from your account.
- Create a new user in your AAD with global admin rights.
- Log in at https://portal.office.com with the newly created user account and switch into configuration to the active users. In that list remove your account that you usually use to log in to Azure Management Portal.
- That’s it! Of course the sub domain still exists.
- Tip: If you want for any chance access again to that AAD save the credentials from step 1.
So, you have your list of AADs. If I want to delete an AAD, I get the error message you see above and below.
First, create a new user with global admin rights.
Next, you have to change the initial password of this new user. Generally, you can use whatever site uses an AAD login. I prefer to use myapps.microsoft.com.
Next, you go to portal.office.com and login via the newly created user. There, you switch to active users and delete your user account which you use for your Azure login. In my case it is my company account from Microsoft. In your case it could be your company account or some other Microsoft account (former Live ID). You typically recognize this account because it has #EXT# string in it.
Finally, you can check back in the Azure Management Portal if you have successfully disconnected your login from the AAD by refreshing the portal.
Things to consider
- If you want for any chance access again to that AAD save the credentials from the newly created user. In my case this was the Delete Me user.
- The sub domain XXX.onmicrosoft.com still exists and is not deleted. If you want this sub domain delete, you really have to contact support.
- As stated in the Azure Directory Limits one single user can only be associated to 20 AADs. If demonstrate AAD a lot like me, you should have a plan.
- You can disconnect your user account as described in this article.
- You could create an Azure trial account with a new Microsoft account for each demonstration.
If you have the error message that you cannot delete the AAD because of one or more existing applications, there is a good blog post by Eric Golpe: Walkthrough of Deleting an Azure AD Tenant
The exact error message for that problem would be:
The following issue(s) prevent deletion of this directory:
Directory contains one or more applications that were added by a user or administrator.
About this article
In this article I experimented to use animated GIFs instead of static images. The advantage is that it should be easier to follow the steps. Disadvantage is clearly the flurry on the page. Let me know what do you think in the comments.