Azure: Clean up unused, inactive or old directories from your Azure subscription

June 20, 2018 at 9:31 am in AAD, Azure, Azure Active Directory, Azure AD, Azure tenant, B2B, Cloud, GDPR, MyApps by Wim Matthyssen

I am already working as an Azure Consultant/Architect for almost 5 years. In those 5 years I setup a lot of Azure IaaS/PaaS environments for different customers. To do all the necessary work involved in such setup, I mostly was invited to their Azure tenant as admin with my Microsoft account (personal account) or my work account (B2B user) to do all the necessary work. When all the work was done a thing mostly forgotten is to clean up that specific user in Azure Active Directory (AAD), causing that tenant still showing up or even starting as the default directory when logging on to the Azure portal. After a while you could even be unable to be invited to a new tenant because the maximum of 20 AAD’s is reached for that specific account.

clip_image002

Until some time ago, May 14 2018 to be specific, to unlink those lingering directories you had to contact another global admin of the inviting organization to have that account removed from their AAD tenant. Even as an admin you were not able to delete your own guest account. Sometimes, when a lot of time was passed since you last worked for that customer, finding a global admin for that tenant to delete that user could be a lot of work.

Luckily, thanks to Europe’s General Data Protection Regulation (GDPR), this can now be done in a much easier way. A B2B user can now easily leave an organization on their own (self-service leaving), to which he or she has been invited at any time, without having to contact an administrator.

Keep in mind that when a user leaves an organization, the user account is soft deleted in the directory. By default, the user object moves to the Deleted users state in AAD but is not permanently deleted for 30 days. This soft deletion enables the administrator to restore the user account (including groups and permissions), if the user makes a request to restore the account within that 30-day period.

To leave an organization you can follow the below steps:

Log in with your B2B account at https://myapps.microsoft.com/

When logged in select your name on the access panel in the upper-right corner.

clip_image004

Under Organizations, select the organization you want to leave.

clip_image006

Select your name again in the upper-right corner.

clip_image008

Select Leave organization next to the correct organization.

clip_image010

When asked to confirm, select Leave.

clip_image012

clip_image014

After a while you should receive an email at that specific account, telling you that you left the organization.

clip_image016

Repeat these steps if you need to leave any other organization you are associated with.

Hope this helps and thanks to my colleague Guido (@ggibens) for pinpointing me to this new simplified capability.

Wim Matthyssen (@wmatthyssen)

Share on LinkedInTweet about this on TwitterShare on Google+Share on Facebook