0
votes

I previously created (successfully) a Windows Azure Active Directory, added a custom domain, and configured it for both single sign-on and directory synchronization using an on-premise ADFS2.0 server. So far so good.

Having realised I should have attached the custom domain to an existing WAAD rather than the new one, I then decided to delete the new one. To ensure there was no risk of deleting any objects in the on-premise AD, I first deleted the trust relationship on our on-premise ADFS server.

Unfortunately, this has now left me in a situation where I'm unable to use the Azure Active Directory PowerShell cmdlets to manage the WAAD - Connect-MSOLService either returns "Exception of type 'Microsoft.Online.Administration.Automation.MicrosoftOnlineException' was thrown." if I use the Microsoft Account credentials of the subscription owner (but where the email address happens to be on the same domain as the custom domain I added), or "The user name or password is incorrect. Verify your user name, and then try again" if I use the credentials of another Global Administrator of that directory with an email address not on the custom domain.

Both sets of credentials allow logging in to the portal successfully.

Unfortunately I can't now delete the WAAD, because it contains objects - and without PowerShell access, I don't believe I can bulk delete the ~500 users and groups that got sync'd from on-premise before deleting the trust.

Any idea how I can either recover the trust relationship, connect successfully with PowerShell, or delete the unwanted directory?

Many thanks!

1
There is currently no way to delete a directory. So, you may want to just rename this unwanted directory for now to something so that you know not to use it. I use "DELETE-ME-x" in my subscriptions where x is just a number. As for connecting, you should still be able to connect. Are you trying to connect using your previous custom domain credentials? For example, [email protected]? If so, try your [email protected] credentials to see if you can connect that way.Rick Rainey
@RickRainey - thanks. The more important bit is to remove the users and custom domain, rather than the whole directory, so I can add the custom domain to another directory. The custom domain creds won't work any more because they were (always) SSO-based, and the ADFS server now knows nothing about WAAD. I've tried the ...onmicrosoft.com ones as well, to no avail.rmc47
Ok. So, since you're able to log into the portal, you should be able to go to the DOMAINS section for your directory, highlight your custom domain, and click on the DELETE button to release the custom domain. Then you can go through the process again to register that domain with another directory.Rick Rainey
@RickRainey Thanks very much for the input - problem now solved (accepted answer below), but for anyone else's reference: you can't delete a custom domain while it contains users, and since I had managed a DIRSYNC, I had ~800 users, which you can't bulk delete through the portal. I didn't fancy clicking the delete button that many times by hand, hence the desire for PS :-)rmc47

1 Answers

2
votes

Try the following (I'm sure you've done most of this, but perhaps you missed a step):

  1. Log in to the Azure portal (https://manage.windowsazure.com) and navigate to ACTIVE DIRECTORY.
  2. Choose the directory that you aren't able to access via PowerShell and click ADD USER.
  3. Under 'TYPE OF USER', choose 'New user in your organization' and choose a username, under the initial domain (e.g. admin@contoso.onmicrosoft.com).
  4. Fill out the next page, and make sure you assign the role of 'Global Administrator'. Make sure you copy the password in the last step.
  5. Once the user is created, you need to reset the password. An easy way is to start a new browser session and navigate to https://portal.microsoftonline.com. You'll be prompted to reset the password.
  6. Now go to PowerShell and try Connect-MsolService using the new user account you just created. You should now be able to remove all objects.

A few notes:

  • Even if you are able to add a Microsoft Account (MSA) to your directory via the Azure portal, there is currently no support for using the user account for anything else, including PowerShell.
  • Every directory has an initial domain which ends in in '.onmicrosoft.com'.
  • You won't be able to remove a domain if there are any users using that domain. If this is not the case, you can remove the domain using the Azure portal ('DOMAINS' section) and simply forget about that directory.
  • As @Rick Rainey said, you can't currently remove a directory, but you can leave it empty.
  • Currently, DirSync is a one-way sync where everything is mastered on-premises.