Azure active directory - Unable to delete - azure

I have two additional AD I have created in addition to the one which is associated to the subscription. I want to delete those but my attempt fails with the message "Directory has one or more applications that were added by a user or administrator"
I can see below two common application in both directories, where I don't see a delete button.
Office 365 management apis
Visual Studio Team Services
How can I delete this AD?
Thanks,
Shiju

I ran into the same issue. The only solution I was able to find was to step into PowerShell and get it done. You can find the steps in these two posts:
https://social.msdn.microsoft.com/Forums/en-US/afbfb7b3-92c9-4af6-9128-ba96795de5a6/not-able-to-delete-b2c-tenant
https://social.msdn.microsoft.com/Forums/en-US/e041555c-aa36-4369-bbb9-1f23ae317304/how-to-remove-active-directory-from-windows-azure
The main gist is that you need to have a global admin account which is a direct member of the directory. You can't use your Microsoft/subscription account even though it may have been granted global admin permissions. You then connect using these credentials in PowerShell, find the Service Principals (aka Applications) which exist, and remove them. You can then drop the Admin account for the directory and delete the directory itself.

I also wrote a blog page on how to delete an active directory tenant. I have updated the process to use the new portal and the newer AzureAD PowerShell cmdlets.
https://blog.nicholasrogoff.com/2017/01/20/how-to-delete-an-azure-active-directory-add-tenant/

Related

How do I sign in to my Azure account from the VSCode Azure Functions extension?

I have been trying to create an Azure Function using the documentation. For example, here:
https://learn.microsoft.com/en-us/learn/modules/develop-azure-functions/5-create-function-visual-studio-code
Every time, and with every Azure account, I can't get past the step where you sign in to your Azure account from the Azure Functions VSCode extension. This is the error I am getting:
"Selected user account does not exist in tenant 'Microsoft Learn Sandbox' and cannot access the application 'aebc6443-996d-45c2-90f0-388ff96faa56' in that tenant. The account needs to be added as an external user in the tenant first. Please use a different account."
The Microsoft Learn Sandbox error message is a red herring to me, as I am not trying to do anything with it, only with Azure Functions. The same error appears even with a completely different Azure account.
I have tried looking at several possible solutions, including switching directories (but I only have one directory, so this didn't work), changing settings in Azure AD Connect (but I don't have Azure AD Connect configured, so this didn't work), and I deleted several local .config files and directories on my machine (CentOS 7, btw). If the solution is related to my .config files, I couldn't tell which files I should actually be deleting though.
In my situation, the problem is it was trying to use my "learning" account but I wanted to use my "work" account.
Following the answer here: https://learn.microsoft.com/en-us/answers/questions/696758/how-do-i-sign-in-to-azure-from-vs-code?page=1&orderby=Helpful&comment=answer-697695#newest-answer-comment
Go to the Azure portal and sign out (https://portal.azure.com/) Now
open Visual Studio and Open the Command Palette (Ctrl + Shift + P)
search for Azure: Sign Out and click on it. It will signout you from the Visual Studio extension
Then (this is the important part) it allowed me the option to Clear my Tenant ID.
Then you can sign in again with the new account
Hope this helps someone else!

Changing site collection administrator via powershell in azure function

I created a workflow that provisions O365 groups via an azure function app which runs powershell (based off this code on github). I noticed that the default site collection administrators are the owners of the created group. Most of the time i just want users to be able to invite more people to group but not create subsites etc..
For now I always have to change administrators manually. Is there any way to change the site collection administrators via powershell (or any other language) in an azure function?
I already tried to just execute Connect-SPOService and Set-SPOUser in the function but there is no such cmdlet in the context of the function.
Goal would be a to have some code/function to change site collection administrators via the microsoft graph api or some other means. Maybe it is possible to add the missing cmdlets where the function can access it?
To use PowerShell modules within an Azure Function, you'll need to upload your modules to your function app, either by bundling them with your deployment or using Kudu. The answers to this question from Francisco and myself could be helpful to you.

File-level read permission in Azure DevOps is not working

I have this team project in Azure DevOps (previously known as VSTS):
$\TempProjectA
I have this developer that can log into Azure DevOps and develop code:
username: first_developer#example-company.com
password: *****
I have this group that is called SingleFileReaders, and I've added first_developer#example-company.com to this group.
Then using Visual Studio's Source Control Explorer, I've browsed to $\TeamProjectA\FileToBeShared.java, right clicked on it, using Advanced menu I managed to get to Security pop-up. And there, I allowed the read option.
Now I login as first_developer#example-company.com into Visual Studio, but I don't see that file. In fact, I don't see TeamProjectA. What should I do?
You Should add the developer to the Project Team members, with contributor role.
Follow here, Since the UI is changed there are some difficulties to find the securities/adding user configuration in Azure DevOps
Security
Contributor role to access the Source codes
For anyone who's stuck in this point, the trick is to give View project-level information permission to your role/user first. Using built-in roles is not helpful as they have permissions much more than what I wanted. They give access to all files, at least read-only permission.

How do I delete an application from azure active directory?

The title of my issue is clear enough by itself I hope....
I have only one application in my Applications list in Azure Active Directory. I would like to delete that, because it was only for experimental purposes.
But I cannot delete it, the delete icon in the drawer is greyed.
What can I do to delete the application from AAD?
For those coming by later and are using the new (preview) Azure Portal and are trying to remove a Native App;
The issue is due to the availableToOtherTenants setting, which you can not edit in the UI at the moment of writing. However, you can add the Manifest manually through the Azure Portal and edit the setting. After the edit, you can remove the app.
If it's a multi-tenant app, you need to convert it back to a single-tenant app before you can delete it. Please confirm that the setting 'Application is Multi-Tenant' (on the configure tab) is set to No.
Just adding to this - make sure that you are the owner of the application - if you're not, assign yourself ownership and delete will be enabled.
Unable to delete Azure AD due to Enterprise Apps (Delete grayed out)
Login to a Powershell (Admin)
Install-Module -Name MSOnline
connect-msolservice
(Provide GA Creds)
CAUTION: Following step may delete all the objects/applications recursively and may present multiple errors as well, but in the end, all this will help you to be finally able to delete the Azure AD instance successfully
Get-MsolServicePrincipal -All | Remove-MsolServicePrincipal
Sign-out and Sign-in Azure Portal
All enterprise apps will now be deleted --> You can Delete Azure AD Directory now
Whilst old, I stubmled across this issue earlier and found this post.
The portal has changed and none of the above worked for me (although I did not edit the manifest) - what I did do was go into AAD > Enterprise Applications and, from there, I could delete the Native applications.
Hope this helps someone (possibly me!) later.

directory sync: windows azure active directory sync tool ... will it erase O365 users if they do not exist on local AD?

search here showed no real answer.
we currently have around 90 users in O365. we are standing up a fresh new DC and i was wondering, if i run the windows azure directory sync tool wizard (assuming i have already activated directory sync in Azure), input all the credentials, will it look at my local AD and see there are no users there and sync to O365 essentially removing all the O365 users? i know it does not sync both ways so the O365 users won't be transferred which is fine. but will it wipe my O365 users?
No, it won't. It will try to soft match based on the proxyAddresses attribute in AD matching the values in O365. If there isn't a match, you'll end up with duplicates or export errors in Dirsync.

Resources