I am so pumped. Yesterday I managed to finally delete all three of my Azure shadow tenants. What is a shadow tenant? Come sit by the fire and I will explain.
Microsoft has this schism between Microsoft Accounts and Azure Accounts. For some products Microsoft creates an Azure Account when you login with a Microsoft Account if it believes you are a potential enterprise client. This happened to me when I had first contact with Microsoft Teams. A co-author wanted to collaborate via Teams when authoring an article and invited me to his Teams team as a guest. I logged in with my Microsoft account and from then on I would always be asked if I wanted to login with my personal or my business account.
OK, that is only one question to answer, but you suddenly have two account to secure. And the terrible thing about these shadow accounts is that when anything goes wrong you are being told to contact your admin, but there is is no admin. You are on a cruise ship without a captain. You never wanted to own a cruise ship. In fact, you only wanted to cross the river to get to the other side.
My first Azure tenant was ‘vowenet.onmicrosoft.com’. I learned how to become captain of this account and it involves signing up for a free PowerBI trial (yes, really!) and then publish a TXT record to your DNS (yes, really!) and the next time you login, you will be asked if you want to be admin. Yay! I created a new admin, deleted the twin of my Microsoft account, and failed at deleting the Azure tenant.
I got my second Azure tenant when I signed up for the free Teams account in 2020: ‘vowevowenet.onmicrosoft.com’. This tenant hosted the Circus team. I cannot remember how I became admin, but it was probably the same detour as the first time. Last week I retired the Circus team which had caused me quite a bit of admin headaches and tried to delete the tenant, and I failed again.
But this time, I pressed on. Microsoft would not let me delete the Azure account although I was Global Admin (god) because I presumably had a subscription active. I totally understand that Microsoft makes it difficult to sink a cruise ship, but remember, I never wanted one in the first place. It would not show any licenses in Azure Active Directory, but I was looking in the wrong place. I had this free 300 people Teams subscription, but that is in Microsoft 365 and not (directly) in Azure. Once I found the subscription, I went through a deactivate/delete operation and had to wait 3+ days for the deletion to go through, but then finally, I checked out OK and could remove the second Azure tenant.
I had also started the deletion process on the dormant first shadow tenant. The roadblock was a free 100 people Teams subscription, from the days back when I first had contact with Teams, only as a guest. Removed the second Azure tenant. Yay.
But wait. When I logged in again it still asked me Microsoft Account or Company account? There was another shadow tenant hiding in the shadow (pun intended). I went to the AAD portal and found vowenet0.onmicrosoft.com. I have a hunch that was created when I trained for my Microsoft Azure Architect certification. I was in full swing. Start PowerBI free trial, accept admin duties, publish DNS record, take over the tenant, remove all free unused subscriptions, remove tenant.
Bingo. Three shadow tenants down and I am free. No more question for personal or business account.
Sidenote: Windows 11 comes with a personal version of Teams, which is completely useless. You cannot talk to Skype contacts, you cannot talk to work Teams, it’s just another version of everything. Don’t waste your time and just delete it.
Die Sidenote lese ich gerade so:
MS hat da eine gute Chance verpasst mit vorinstalliertem Teams in den Bereich von Slack/Discord etc was sonst so privat benutzt wird vorzudringen.
Ansonsten: Danke für das Tutorial, wird bestimmt mal nützlich sein!
Allerdings. Das ist ein Royal F’up. Und ich glaube, Microsoft hat das auch schon kapiert. Teams ist eine riesige Baustelle und superwichtig.
Connection Zeichen Private Teams und Business Teams kommt in Kürze.
Das bei W11 beide Apps gleich heißen ist aber eine Vollkatastrophe.
Viral tenants were never a good idea. I had to do several admin take overs of viral tenants that were created by employees because the used a PowerBI trial. Also it used to happen in certain cases when you were invited to a tenant as a B2B user – but Microsoft disabled that process 🙂
Sounds like good news! Do you know what will happen with the other Teams client on Windows 11?
Lieber Volker, tausend Dank für diese Handreichung! Habe gerade erfolgreich 1 von 2 Shadow Tenants beseitigt.
Meine Nerven, bin so froh dass ich um diesen MS Kram einen großen Kreis machen kann und es nur selten nutzen muss. Mein Mitgefühl für alle die diese Kontorsionen ertragen müssen. Hoffentlich kommt MS nicht auf die Ideen, diesen Wahnsinn auch auf Github & co anzuwenden.