Note: This is notes on an unsuccessful Tenant Delete
I was using a Macbook Pro with Powershell 7.5.0 to run these commands. In the end I couldn't delete the Tenant with an error message as follows:
Unable to delete tenant
Unable to delete tenant Toggen Test. Known issues exist where some enterprise applications are not capable to delete within the portal. Click the notification title for more information and manual troubleshooting steps.
However being unsuccessful is not surprising because Microsoft already has this warning on the documentation
When you attempt to raise a support ticket there is no "product" from the ones they provide to raise the ticket against (as you have already deleted all the subscriptions and licenses) so the support ticket wizard leaves you hanging.
Microsoft has a procedure published to delete a Tenant
https://learn.microsoft.com/en-us/entra/identity/users/directory-delete-howto
Once you get to the section on Enterprise App deletion it feels like the code examples have been written by AI that has been asked to hallucinate. Namely the suggested commands don't work and some cause the unintended side effect of locking you out of the Azure portal
it feels like the code examples have been written by AI that has been asked to hallucinate.
Toggen
When it says to run Connect-MgGraph without any arguments the resulting connection doesn't have enough permissions to do the following commands. The command return access restricted warnings.
Warning: Make sure you run the recommend Get-MgDomain and Clear-AzContext -Scope CurrentUser and Connect-AzAccount -Tenant <ObjectID_Here> commands to make absolutely certain you are acting on the correct Tenant
So firstly you need to find what scopes each command needs
1 2 | (Find-MgGraphCommand -command Remove-MgServicePrincipal).Permissions(Find-MgGraphCommand -command Update-MgServicePrincipal).Permissions |
The output will be something like this
1 2 3 4 5 6 7 8 | Name IsAdmin Description FullDescrip tion---- ------- ----------- -----------Application.ReadWrite.All True Read and write applications Allows the…Application.ReadWrite.OwnedBy TrueDirectory.ReadWrite.All True Read and write directory data Allows the…Directory.ReadWrite.All TrueApplication.ReadWrite.All True |
You then need to add a -Scopes switch to Connect-MgGraph and using the output of Find-MgGraphCommand build a -Scopes string to ask for the right permissions for the Remove-MgServicePrincipal and Update-MgServicePrincipal to run
1 | Connect-MgGraph -Scopes "Domain.Read.All","Domain.ReadWrite.All","Directory.Read.All","Directory.Read.All","Domain.Read.All","Application.ReadWrite.All","Directory.ReadWrite.All" |
Also I found that running the suggested Remove-MgServicePrincipal command the -ObjectID switch didn't exist on the command as the documentation showed in point 6.
Command 7 and 8 worked
1 2 3 | Get-MgServicePrincipal | ForEach-Object { Remove-MgServicePrincipal -ServicePrincipalId $_.Id }# there is a Az command with -ObjectIDGet-AzADServicePrincipal | ForEach-Object { Remove-AzADServicePrincipal -ObjectId $_.Id -Force} |
Also when running command 8. it removes access to login to portal.azure.com
1 2 3 | $ServicePrincipalUpdate =@{ "accountEnabled" = "false" }Get-MgServicePrincipal | ForEach-Object { Update-MgServicePrincipal -ServicePrincipalId $_.Id -BodyParameter $ServicePrincipalUpdate } |
After following the Microsoft how to and despite there being ticks against all the pre-delete check list items, in the end I couldn't delete this Tenant
0 Comments