I can't delete my B2C directory.
I've followed the instructions at How do I delete my Azure AD B2C tenant?
fails, even though all Resource Status's are green.
I've purged all applications, signed into the tenant with the CLI and done an az ad app list which returns an empty array.
As it turns out, this is due to a remaining Enterprise Application being enabled for login.
To fix:
Switch into the B2C tenant then go to Azure Active Directory (type AAD into the resources search box).
Select Enterprise Applications on the left navigation
Select each application in turn then go to Properties
Change Enabled for users to sign-in? to No
Save
Then follow the normal instructions to delete the tenant.
Related
I have a structural question on the Azure portal. When I create a new Azure Active Directory B2C Tenant, it forces the creation of a new directory, with new org name, paired to the subscription ID from the directory where I created the tenant. This feels incredibly disjointed to me since my Active Directory is in my parent directory. So my questions are
Is this the standard model for using Azure Active Directory B2C?
Main Directory w/ subscription
-> B2C Tenant 1 (dev)
-> B2C Tenant 2 (staging)
-> B2C Tenant 3 (prod)
If so, does that mean that I should create all resources for the environment in the B2C Tenant directory?
Can I make multiple Azure Active Directory B2C tenants in my main account, and just separate them into different resource groups for dev, staging, and prod?
Reading the documentation, everything seems to show either creating a new Tenant which creates a new directory, or "Linking" and existing Tenant. The issue with that is when you create a tenant, you MUST specify a subscription, and to "Link" a Tenant, it can not have a subscription.. and since you can't remove a subscription from a Tenant, how is this option even possible?
Any help or guidance on these points would be greatly appreciated. I've spent days reading documentation and trying to get this set up along the lines of option 2 since that's the model that exists in a client account I need to replicate, but nothing has worked.
EDIT
I see that I can click on the B2C Tenant from my main Azure Active Directory account and see it's subscription status as
An Azure subscription is required to continue receiving SLA support for External Identities```
but when I click that it takes me to the Azure AD B2C directory and I'm confronted with this image
[![enter image description here][1]][1]
but when I look at the resource in the main Azure AD directory, I see I can move subscriptions but there is **already a subscription assigned** so what does it want me to do?
[![enter image description here][2]][2]
It seems like the answer is "An Azure AD B2C directory is ONLY meant to manage the B2C tenant, and nothing else" but the only person to reply to this so far is saying that you should create all your resources in the B2C tenant directory, not the Azure Active Directory Account which has the resource group referencing the created B2C tenant.
[1]: https://i.stack.imgur.com/g3dMY.png
[2]: https://i.stack.imgur.com/72sH7.png
• When you create an Azure B2C tenant in your existing subscription, a new Azure AD directory with the name of the given Azure AD B2C tenant is created and related to it, a separate Azure AD B2C tenant/directory is also created. That is, by the name of the Azure AD B2C tenant, a normal Azure AD B2C directory is available as well as an Azure AD B2C directory/tenant is also available.
• Thus, when you create an Azure AD B2C tenant, it will be shown under you resource group in which it is assigned. Also, if you want to create a new resource in this new Azure AD B2C tenant, then you will need to link it with an existing subscription or add a new subscription to it as it functions as full-fledged separate tenant with an existing Azure AD default directory to take care of the Identity and Access Management requirements.
If so, does that mean that I should create all resources for the environment in the B2C Tenant directory?
Yes, you can separate your ‘dev, staging and prod’ B2C tenants for your convenience and create resources in it for your management purposes but you will have to link every B2C tenant with an active subscription plan so that the billing costs of the resources deployed in it are taken care of.
Can I make multiple Azure Active Directory B2C tenants in my main account, and just separate them into different resource groups for dev, staging, and prod?
Yes, you can as per the above given explanation.
Thus, for creating a new B2C tenant, you need to have an existing subscription of Azure and an existing Azure AD tenant through which you can surely create an Azure AD B2C tenant and further if you want to deploy Azure resources in it, then you can add a subscription or link an existing one.
Please find the below snapshots for your reference: -
I am trying to setup an CICD from our Azure Devops to the Azure Subscription owned by our Client.
But the subscription is not appearing in the list of Azure Subscriptions even if I already have Owner level of role:
My CICD Subscription List Available:
The Subscription where I want to deploy:
My current role to our Client Active Directory:
Also note that I am a Member of their Active Directory not just a Guest.
I also checked this article but no luck:
https://learn.microsoft.com/en-us/azure/devops/pipelines/release/azure-rm-endpoint?view=azure-devops#the-user-has-only-guest-permission-in-the-directory
The problem is not with the roles and permissions, for some reason AAD with MFA enables somehow prevents smooth integration with Azure DevOps, on my case i disabled deleted my MFA options then tried to add the subscription again via Azure Pipeline.
Some subscriptions are missing from the list of subscriptions:
To fix this issue you will need to modify the supported account types and who can use your application. To do so, follow the steps below:
Sign in to the Azure portal.
If you have access to multiple tenants, use the Directory + subscription filter in the top menu to select the tenant in which you want to register an application.
Search for and select Azure Active Directory.
Under Manage, select App registrations.
Select you application from the list of registered applications.
Under Essentials, select Supported account types.
Under Supported account types, Who can use this application or access this API? select Accounts in any organizational directory.
Select Save.
I want to delete an AD B2C Tenant and all associated resources with it (applications, b2c policies, users etc). Is it possible to delete the tenant and associated resources with powershell?
No, this is not possible. You can delete your resources using Powershell but the tenant/directory itself needs to be deleted through the Azure Portal.
View these instructions for detailed information:
https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-delete-howto
https://blogs.msdn.microsoft.com/azureadb2c/2017/06/23/delete-b2c-tenant/
I have created a few B2C directories using the classic Azure portal. Sometimes it adds the b2c-extensions-app but other times it does not. When I delete a directory, Azure seems to have a long memory which prevents me from trying to recreate it (with the same name).
Is there a way to manually add the b2c-extensions-app such that it shows up under "Applications my Company Owns" listing?
The b2c-extensions-app is created automatically as part of creating an Azure AD B2C tenant. It should always be created. If you create a new tenant and this app is not present, you should open a support case so that the Azure AD B2C team can look into this.
Important note: The b2c-extensions-app is only visible in the App Registrations blade and not via the B2C Settings > Applications blade. See screenshots at the bottom.
More likely, someone accidentally deleted the application. If that's the case, there's two options:
If the application was deleted less than 30 days ago, you can use the Azure AD Graph's /deletedApplications/{application_id}/restore api to bring it back.
If it's been more than 30 days, there's no way to restore the application and you'll have to reach out to Azure support to get help on recreating and rewiring the application to your B2C tenant.
Notice that it's available in App registrations:
NOTE: Make sure you pick "All apps" from the App Registration drop-down.
But not in the B2C Applications:
I am trying out ad-b2c and boy even the first step is turning out to be extremely frustrating. Anyway here's my problem:
I have an existing subscription with a default directory which has its own mydefaultdirectory.onmicrosoft.com domain
According to instructions here: I should be able to create an ad-b2c tenant, and then go into the portal B2C features blade.
I created the tenant, which included me creating a custom ad-b2c directory. I had to choose another domain such as myadb2ctest.onmicrosoft.com.
I go to the portal under b2c blade, but now I have no subscription. This is because now I am logged in to the myadb2ctest directory rather than mydefaultdirectory which has my subscription.
I DO NOT want to create a new subscription. I just want this directory associated with my already existing subscription so I can try this thing out.
An Azure AD (and B2C) is a higher level object than a subscription in the portal user interface. That's why you lose your subscription view when selecting B2C.
Internally this will be linked to your subscription, otherwise Microsoft couldn't send you a bill. if you go to the B2C dashboard, there is text containing the linked subscription:
Subscription status
If there is no subscription linked, there is a warning in the B2C Dashboard:
No Subscription linked to this B2C tenant or the Subscription needs your attention.
And then you will need to take these actions:
This B2C tenant must be linked to an active Azure subscription for communication, support and billing.
If your Subscription status is No Subscription, please link this B2C tenant to an Azure subscription,
Switch Directories to the location of your target Azure subscription
Under Marketplace, search for and select 'B2C'
Select Create to link this B2C Tenant to a subscription
Unfortunately today B2C features cannot be turned on in an existing tenant.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-faqs
Please make your B2C directory a default directory for an Azure Subscription. You could think of a B2C directory as a normal AAD during this process.
This process of switching the default directory can only be done through Azure Classic Portal using Service Admin (live account ONLY) for the subscription.
You could refer this article for further steps:
https://ballance.in/default-directory-of-an-azure-subscription/