Custom Azure domain name can´t be deleted (moved) because of local AD Users or Groups that remains in AAD from a broken or deleted local AD environment (sync).

Custom Azure domain name can´t be deleted (moved) because of local AD Users or Groups that remains in AAD from a broken or deleted local AD environment (sync).

Now and then servers, services, apps connectors breaks down and sometimes the easiest way to fix or work around a problem is using a powershell command.

In this scenario I have Azure Tenant with a Custom domain name is applied and also have a Hybrid environment setup. I use a Windows server 2016 with configured AD connect to sync my users, groups and other OU objects to my Azure AD.

The problem I create in this scenario is that I want to move my custom domain name to new Azure Tenant and verify it. That should be easy enough right? – Just delete the custom domain name over at the old Azure Tenant and then add the domain to the new Azure Tenant and all is just fine? Well yes thats the way it normal goes. But if somehow the local AD server or sync service (AD connect) is removed or broken and can`t be restored, furthermore if some local AD users remains in the old Azure AD it will block your request to delete the custom domain name because the users still are associated with the @domainName.com and therefor users needs to be exported or/and delete first before a delete can be made and its here powershell comes in the picture.

Just to be clear local users synced from the Active Directory to Azure Active Directory cannot be deleted direcly from the cloud (AAD) they must be deleted from the local AD and after a sync they will be gone at the Azure Active directory. Cloud users is no problem to delete even with a broken setup.

Prerequisites:

  • Follow the link below to install the required Powershell modules for azure.

EXPORTING AZURE AD USERS OR (GROUPS OPTINAL)

  • Open a PowerShell Window and connect to the Azure Active Directory using Global administrator account using below command.

Connect-msolservice

  • Provide the global admin ID from the pop-up screen and click Next.

  • Enter the Password and click Sign in.

  • After successful login, export the Azure AD user into a CSV file using the below command.

Get-MsolUser –All | Export-CSV C:\ADusers.csv

  • The file ADusers.csv will be available on C: drive.

  • Export the Azure AD Groups into a CSV file using the below command. (Optional in this scenario)

Get-MsolGroup –All | Export-CSV C:\ADGroups.csv

  • The file ADGroups.csv will be available on C: drive.
  • Open the ADusers.csv and remove the Global administrator/s account from the list. (Don’t want to lock yourself out!! We need at least that 1 admin account)

  • Save and close the CSV file. (Its possbile that the file is read only if so check the note tip below or save the lines in a new CSV file you created and use that file).

Note: You can also first export the users into a CSV file and then create a new cloud users with global admin role. That new admin user will not appear at the exported AD user list and your ready to delete all the users from the AAD without any worries.

DELETE THE AD USERS OR GROUPS

  • From the PowerShell window, execute the below command to delete the AD users.

Import-CSV C:\ADusers.csv | Remove-MsOlUser –Force

  • Run the below command to delete the AD Groups (Optinal).

Import-CSV C:\ADGroups.csv | Remove-MsOlGroup –Force

To verify that users or groups are deleted.

  • Goto the Azure portal -> https://portal.azure.com , and browse the Active Directory users or (groups).
  • Click on All users Link. Only the Global administrator account/s is available on the list.

Leave a Reply

Your email address will not be published. Required fields are marked *