I have a Microsoft Azure pay-as-you-go subscription. When I first started to try Azure, I created a lot of trial directories and services. Now I would like to cleanup my account, but I am unable to delete the Active Directory because I am a user in that directory. How can I cleanup my azure and restore it to a first time use state?
The error message is:
User [email protected] is a Service administrator for subscription Access to Azure Active Directory and cannot be removed.
Firstly you should know the followings about deleting an Azure AD directory:
Only the user who has been assigned the "Global Administrator role" can delete the directory. By default, the user who signs up for Azure subscription will get this role.
Any other users in the directory except the global administrator should be deleted before you delete the directory. Any applications should be deleted as well.
You cannot delete the Azure AD directory on the Azure portal if there're still Azure subscriptions be associated with this directory.
A work and school account cannot delete his/her home directory (which the account be created in). Only the guest user (the external user added from another directory or the Microsoft account) can delete the directory.
Just think about the following two scenarios:
1. You use an work and school account (Azure AD account) to sign up for Azure
When you sign up for the Azure subscription, you already have an Azure AD directory which contains the default domain. Your sign up account will both be assigned the Service Administrator role for Azure and the Global Administrator role for Azure AD. In this case, you cannot delete this default directory because this is the home directory of that account.
2. You use an Microsoft Account(outlook, hotmail, etc) to sign up for Azure
In this scenario, this account is a guest user in the default directory (directory A) . Assume that he/she creates another directory lately (directory B). By default, the Azure subscription will be associated with the directory A and you cannot delete it as note above. However, you can change the associated directory to directory B on the Settings note (Azure classic portal). After doing this , you will be able to delete the directory A because the association has been removed.
I wrote a blog page on how to delete an active directory tenant. I have updated the process to use the new portal and the newer AzureAD PowerShell cmdlets.
https://blog.nicholasrogoff.com/2017/01/20/how-to-delete-an-azure-active-directory-add-tenant/
If you just want to clear out all the users, applications and other stuff then you can use PowerShell commands like
Get-AzureADGroup | Remove-AzureADGroup
Get-AzureADUser | Remove-AzureADUser
etc..
To fully remove the AD Tenant you do need to clear it out and my blog explains how to do this with Principals and Applications, but the principle is the same for all objects.
