I want to remove a tenant from Azure portal.
All Enterprise applications should be deleted before the tenant removing:
There are two options how Enterprise applications could be removed:
From the Azure portal. Go to the application you want to delete, click "Properties", click "Delete" button. This option is not available as "Delete" button is disabled.
Using PowerShell commands with Azure Cloud Shell. This option is not available because it states "No valid subscription found. You need an Azure subscription to use Azure Cloud Shell".
I don't want to activate an Azure subscription just for the removing tenant.
But all options are useless in this case.
Any alternative approach?
You should be able to delete the enterprise application in the portal, make sure you logged in to the portal with the Global admin account.
If this still not work, try to use powershell in local(not in cloud shell).
1.Install the AzureAD module.
Install-Module -Name AzureAD
2.Login with Global admin account.
Connect-AzureAD -TenantId <TenantId>
3.Delete the enterprise application.
Remove-AzureADServicePrincipal -ObjectId <app objectid got from the portal>
Related
I have the free developer E5 subscription and have setup a tenancy, created users etc. I have tried creating a second directory that I am planning to use to test the Azure AD Connect tool on a local server. I can switch between the tenants on the Azure Portal with the "Switch tenant" button however can't seem to figure it out with the Powershell cmdlets.
Connect-AzureAD
Set-AzContext -TenantId "My new tenant/directory"
Following these two commands is where the confusion starts. The first commands lists the users from the first directory and the second command shows the users from the directory I have switched too.
Get-AzureAdUser (Shows the first directory, not the one switched too)
Get-AzAdUser (Shows the users of the directory switched too)
Not sure if there is something I am missing here?
Thats because those are commands from 2 different modules:
First one are from AzureAD which is a module designed for tasks within AzureAD
Ths second one are from Az With is designed to handle most, if not all of Azure's resources. The AD functionality is mostly for the module to handle lookups of azure ad objects when checking rbac and assigning access, and not really created to manage AzureAD in any meaningful way (even tho you can do some tasks).
For your task you can use the az module easliy if you just want to look up the users, but if you need to actually administer azure ad i suggest you go for azuread.
To connect to a specified tenant with azuread use connect-azuread -tenantId 'tenant id'. I also think it support that you use domain name aswell
I have an Azure AD tenant which is not associated to a subscription. When I login from the Azure portal I am able see and get to it using "switch directories".
When I log in from PowerShell, I do not see it, it only shows my subscription not by Azure AD tenant.
How do I connect to the Azure AD tenant which has no subscription?
Neither the Azure AD PowerShell nor the Azure PowerShell modules require that the tenant have an Azure subscription in order to connect.
If you are using the Azure AD PowerShell module, you simply connect:
Connect-AzureAD
If you are using a user account which is a member of multiple tenants, it's best to be explicit about which tenant you'd like to connect to:
Connect-AzureAD -TenantId "{other-tenant-id}"
For registering and managing apps in Azure AD I recommend using the Azure AD PowerShell module. However, if you need/want to use the Azure PowerShell module instead, the process is very similar:
Connect-AzAccount
And, if you need to be explicit:
Connect-AzAccount -TenantId "{other-tenant-id}"
Couldn't find exactly what I was looking for in the forum...
I was testing AD Sync with a virtual domain controller. I have since deleted the virtual domain controller and need to remove the users from Azure AD. How is that done? "Delete Users" is not allowable when the user is from a local AD. Also, how do I turn off AD Sync in Azure?
"Delete Users" is not allowable when the user is from a local AD
For the on-premise synced objects, you could not manage or remove from the Azure AD.
If you want to remove the synced users and turn off the AD Sync, you could follow this way:
Install the Azure Active Directory Module for Windows PowerShell.
Connect to Azure AD by using Windows PowerShell.
Disable directory synchronization. To do this, type the cmdlet Set-MsolDirSyncEnabled –EnableDirSync $false, and then press Enter.
Check that directory synchronization was fully disabled by using the Windows PowerShell. To do this, run the cmdlet periodically:(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled.
This cmdlet will return True or False. Continue to run this cmdlet periodically until it returns False, and then go to the next step.
Try to update an object by using Windows PowerShell or by using the cloud service portal. By this step, you could remove the synced users.
For the details, you could read here.
My question was in two parts.
1) Disable directory sync. This is answered by #SunnySun-MSFT above.
2) Remove local AD users from Azure AD. For this MSFT support got back to me with a working solution.
Open powershell as admin
Install-msolservice (provide global admin credentials)
Get-msoluser -all -synchronized (display all local users synched with Azure)
Get-msoluser -all -synchronized | remove-msoluser -force (delete synched users)
How can I upload custom policies via power shell?
Azure AD B2C now supports PowerShell cmdlets
Azure AD Preview module documentation
See medium blog
Quick Start
Launch Power Shell and try below commands
> Install-Module -Name AzureADPreview
> Connect-AzureAd -tenantId <yourtenantname> -accountId <yourAlias#contoso.com>
> Get-AzureADMSTrustFrameworkPolicy
> Get-AzureADMSTrustFrameworkPolicy -Id B2C_1A_signup_signin -OutputFilePath C:\B2C_1A_signup_signin.xml
> New-AzureADMSTrustFrameworkPolicy -InputFilePath C:\B2C_1A_signup_signin.xml
> Set-AzureADMSTrustFrameworkPolicy -Id B2C_1A_signup_signin -InputFilePath C:\B2C_1A_signup_signin.xml
You cant.
Well, you used to be able to if you had an advanced policy with the B2C powershell tools but ever since they moved from B2C to Identity Experience Framework they have disabled it.
I presume when they go back to ARM templates then they will re-enable it.
Azure AD B2C currently does not support any programmatic policy management, including Graph, PowerShell or ARM templates.
You can support this ask and keep track of it (i.e. get notified when there's a preview available) for voting for it in the Azure AD B2C feedback forum: Programmatically Manage B2C Policies
I'm trying to deploy a build to Azure WebApp.
In Azure (http://manage.windowsazure.com) I linked the web app to my Visual Studio Online(VSTS) account.
In VSTS I've created a release definition with a single task (Azure Web App Deployment); the task is configured to use the endpoint defined in the administration module. The service endpoint is configured to use credentials. The credential is using a Microsoft account.
The release is failing with the below error:
2015-12-02T18:17:35.4422685Z AzurePSCmdletsVersion= 0.9.8.1
2015-12-02T18:17:35.5692677Z Get-ServiceEndpoint -Name foo -Context Microsoft.TeamFoundation.DistributedTask.Agent.Worker.Common.TaskContext
2015-12-02T18:19:07.5877546Z Username= ********
2015-12-02T18:19:07.5887893Z azureSubscriptionId= foo-foo-foo-foo-foo
2015-12-02T18:19:07.5907904Z azureSubscriptionName= Pay-As-You-Go
2015-12-02T18:19:07.6278127Z Add-AzureAccount -Credential $psCredential
2015-12-02T18:19:09.7755541Z ##[error]-Credential parameter can only be used with Organization ID credentials. For more information, please refer to http://go.microsoft.com/fwlink/?linkid=331007&clcid=0x409 for more information about the difference between an organizational account and a Microsoft account.
2015-12-02T18:19:09.9664413Z ##[error]There was an error with the Azure credentials used for deployment.
How can I setup the release to use a Microsoft account for Azure credential?
There isn't any way to use a Microsoft Account Credential to connect to Azure from VSO service endpoint for now. You need to use an Organization account. If you don't have one, you can use "Certificate Based" authentication to connect to Azure easily. Click this link to get your subscription file and then paste the certification string in the subscription file into VSO "Management Certificate" area.
Add-AzureAccount cmdlet, uses Azure Active Directory (Azure AD) authentication access tokens and Azure AD uses Organizational Accounts.
Microsoft account credentials, formerly known as LiveIDs will not work in Azure AD authentication scenarios.
This is reported here as a suggestion and by design as of now:
https://github.com/Azure/azure-powershell/issues/477