How to Permanently Delete an Azure Directory Tenant

Deleting an Azure Directory Tenant is a permanent action that cannot be undone, so make sure you're certain before proceeding.

You'll need to be a Global Administrator in the Azure Active Directory (Azure AD) to initiate the deletion process.

To begin, you must have a subscription with Azure AD Premium P1 or P2, or Enterprise Mobility + Security (EMS) E3 or E5, as these plans offer the necessary features for deletion.

The deletion process will also remove all associated resources, including users, groups, and applications.

Deleting Azure AD is a multi-step process that requires caution and attention to detail. You'll need to navigate to Applications, Identity Providers, and All Policies and delete all entries under each of them.

To delete the b2c-extensions-app App, select it and click Delete, then confirm the deletion when prompted. This will be followed by a list of issues that must be resolved before you can delete the directory.

You'll need to resolve the Microsoft Azure entry that appears in the Resource column by clicking the link, changing the permissions to Yes in the Properties blade, and clicking Save. This will resolve the issues and allow you to delete the directory.

Alternatively, you can use PowerShell to remove deleted Azure AD accounts. To do this, you'll need to install the Azure Active Directory PowerShell and Microsoft Online Services modules, then connect to Azure AD using the Connect-AzureAD cmdlet.

Once connected, you can run the Get-MsolUser cmdlet to return a list of deleted users together with their object identifier, and then pipe the set to the Remove-AzureADMSDeletedDirectoryObject cmdlet to permanently remove the deleted accounts.

If you're using the Microsoft Graph PowerShell SDK, you can use the Get-MgDirectoryDeletedItem cmdlet to find deleted user accounts, and then run the Remove-MgDirectoryDeletedItem cmdlet to permanently remove the soft-deleted Azure AD account.

Before deleting the Azure AD tenant, make sure you have a local Global Admin account that you can leave as the only account, and add a new user with Global Admin privileges using the Classic portal. This will ensure you can complete the deletion process successfully.

To remove deleted Azure AD accounts with PowerShell, you need to install both the Azure Active Directory PowerShell and Microsoft Online Services modules on your computer.

The Azure AD PowerShell module allows you to run the Get-MsOlUser cmdlet to return a list of deleted users together with their object identifier.

After finding the required account, you can remove their user object permanently by running the Remove-AzureADMSDeletedDirectoryObject cmdlet.

Removal is immediate and the account is then irrecoverable.

To permanently remove deleted accounts from Azure AD before their deletion retention period expires, you can pipe the set of objects retrieved by Get-MsolUser to the Remove-AzureADMSDeletedDirectoryObject cmdlet.

Alternatively, you can use the Microsoft Graph PowerShell SDK, which is the recommended approach due to the deprecation of the Microsoft Online Services and Azure AD PowerShell modules.

To find deleted user accounts using the Microsoft Graph PowerShell SDK, run the command shown in the example, which fetches deleted Azure AD accounts in a similar way to the Microsoft Entra admin center.

Once you've found the account to delete, run the Remove-MgDirectoryDeletedItem cmdlet and pass the object identifier of the account to delete.

To delete an Azure directory, you'll need to navigate to Applications, Identity Providers, and All Policies and delete all entries under each of them.

You can do this by using the Azure portal, where you'll find a list of things that must be resolved before you can delete the directory.

To resolve the Microsoft Azure entry that appears in the Resource column, click the link and change the permissions to Yes in the Properties blade and click Save.

This will allow you to delete the directory once Azure is complete with that operation.

You can then remove accounts by running the Get-MsOlUser cmdlet to return a list of deleted users together with their object identifier.

After finding the required account, you can remove their user object permanently by running the Remove-AzureADMSDeletedDirectoryObject.

To permanently remove deleted accounts from Azure AD before their deletion retention period expires, you can pipe the set of objects retrieved by Get-MsOlUser to the Remove-AzureADMSDeletedDirectoryObject cmdlet.

You'll need to add a user with a 'local' Global Admin account in the tenant, which you can do using the Classic portal.

Make a note of the 'onmicrosoft.com' username, as you'll need it later.

You'll also need to use PowerShell to remove the Service Principals mentioned in the AAD Error Details.

First, install the AzureAD PowerShell module by running the following command in Windows PowerShell ISE.

Once installed, run the following PowerShell commands to remove the Service Principals.

You may see a list of Service Principals, and you can remove them one by one by substituting 'ServicePrincipal' with the actual name.

Microsoft has announced their intention to deprecate the Microsoft Online Services and Azure AD PowerShell modules. You should replace any code using these modules with cmdlets from the Microsoft Graph PowerShell SDK.

To find deleted user accounts, run a Graph API request similar to how the Microsoft Entra admin center fetches deleted Azure AD accounts. This request can be sniffed behind the scenes using the Graph X-ray add-on to discover the code used.

The Microsoft Graph PowerShell SDK provides a cmdlet to permanently remove a soft-deleted Azure AD account. To use this cmdlet, you'll need to pass the object identifier of the account to delete.

The cmdlet for removing a soft-deleted account is called Remove-MgDirectoryDeletedItem.