[Azure] Regain admin access to your Azure AD tenant custom domain
Let me start by admitting something: I really made a mess of my Azure AD tenants over time 🙂 If you’re career is anything like mine, you probably know how it is to have multiple Azure subscriptions, MSDN subscriptions and Azure AD tenants (which are at the root of all of your Azure activities). And since it’s spring time and all, I decided it could use a little cleaning up. And so I started moving stuff over to the subscriptions I want to use and deleting the left overs.
Somewhere in this process I might have been a little bit too enthused about throwing stuff away. And I ended up with the following situation:
- I had an Azure AD tenant, linked to one of my custom domains.
- The subscription linked to the tenant was deleted (or expired, not sure).
- Within the tenant I had only one user left, which was user, not admin.
Ok so now what? A normal user cannot delete the AD tenant, nor can it add new users or make anyone admin. And since the global administrator was linked to the subscription (which wasn’t there any more) that left me without any options.
As seen in the below screenshot, logged in using my one and only user, I was not able to delete the directory:
So I contacted support and the support agent showed me a neat little trick on how to fix this. Unfortunately, since I was not planning on reproducing the situation I didn’t get the change to make screenshots from all the steps. But here’s what you need to do:
- With your user, go to https://powerbi.microsoft.com.
Huh, wait? Power BI? What does that have to do with this? That’s exactly what I thought… just hold on…
- After logging in, go to the admin section.
- Now it will start complaining about the fact that you are not an admin of this domain.
- Follow the steps to become the domain admin again. This involves setting up a TXT record to prove ownership so you’ll need domain access.
- After providing proof and a little wait, the portal will promote your account to admin.
Now if you open up the portal again, things have changed! Note the red box, the same account is now Global Admin!
Now you cannot delete things yet, there’s some more steps:
- First, create a new admin user on the xyz.onmicrosoft.com domain. Provide this user with global admin permissions as well as you’ll need to delete the other one.
- Login using your new user and delete the other one in Azure AD.
- Now go to the “Custom domain names” section. Click the xyz.onmicrosoft.com domain name and make sure it’s set as primary domain. This is required because you cannot remove your custom domain if that one is set as primary.
- Next, delete the custom domain. There will be some verification to ensure there are no resources left which have a link to this domain in any way. When there are, deal with those first.
- After deleting the custom domain you can proceed in deleting the Azure AD instance.
- Should you want to, you can now link your custom domain to any other Azure AD tenant where you’d like to use it.
Hope this helps out anyone dealing with the same situation! Conclusion for myself: don’t make such a mess next time 😉