Every now and then when I try to delete an Azure Active Directory directory it just so happens that I get this funny ‘Directory contains one or more applications that were added by a user or administrator’ error message.
What’s so funny about it? Well, the simple fact that all the applications the message mentiones seem, at least from the portal side, to be automatically created when the directory is set up. So what can the solution be?
As it turns out, the Azure Management Portal doesn’t actually list ALL the applications it creates when you set up a new directory and not only does it do that, but it also creates a few application on your behalf (you, the administrator) when you create the directory service from within the Portal. In order to delete these AAD applications, you’re required to get your hands dirty and do some PowerShell scripting.
First, because Azure Active Directory is an upgrade from the former Microsft Online Services identity service, please be aware that you might need to install a few additional tools on your computer, namely Microsoft Online Services Sign-In Assistant for IT Professionals RTW (that sounds so Microsoft :-)) and also the Azure Active Directory Module for Windows PowerShell – it’s preferable to install the 64-bit version of these tools, as the 32-bit version is discontinued by the time of this writing.
Once installed, go back to the Azure Management Portal and create a new organizational user within that particular directory (yes, I know, you need to have max. 1 identity within a directory to delete it, but you will still need an additional user IF your single AAD global admin is a Microsoft Account):
Make sure you mark the new user as a Global Admin and have an additional e-mail address in handy, since Global Admins are required to provide a backup e-mail address in order to get automated e-mail from the system.
Since the New User dialog created a temporary password for this user, quickly go to http://portal.microsoftonline.com and login using the new user you’ve just created. You will be prompted to change the temporary password.
Once you did this, you can open up a new PowerShell console or PowerShell ISE window. Within PowerShell, write the following cmdlet in order to connect to the directory. When prompted, use the credentials of the user account you just created from within the Azure Management Portal.
Next, you can use the following cmdlet to retrieve the list of applications which reside on that AAD directory.
Get-MsolServicePrincipal | Select DisplayName
This will return the list of application which are currently installed on that AAD directory and you’ll quickly realize that the list contains way more than just the two application you see inside the Azure Management Portal:
- Windows Azure Service Management API
- Microsoft Policy Administration Service
In order to delete all these applications, you can go ahead and run the following cmdlet. Be aware though that not all application can be deleted and that some deletion processes will end up in an error different from the one shown within the PS console (nuts, right?) – ignore this.
Get-MsolServicePrincipal | Remove-MsolServicePrincipal
Afterwards, go back in the Azure Management Portal and delete the organization user account you created earlier and then delete the entire directory.
Voila, worked like a charm!