Taking over a Microsoft Azure Active Directory shadow tennant

by Volker Weber

Sketch

When you are invited as a guest into a Microsoft Team space and there is no Azure Active Directory tennant for your domain, as it wasn't for my domain, you will create a new user (and a domain) when you sign up. I was recently confused by that. I had just entered my personal credentials and it created a second user with the same name/password combination. One was a work account, the other a personal account. I could not really get rid of the the work account, because there was no admin for my domain. Imagine yourself on a big ship, without a crew.

Then I wanted to set up a free team myself but I could not. Microsoft had not planned for somebody with a work account he could not manage. I asked for help, but received an answer this could unfortunately not be done. That was the end of it.

Only, it wasn't.

Gregory told me to google for "IT admin takeover", and that leads to multiple documents, one of them being "Take over an unmanaged directory as administrator in Azure Active Directory". If you have control of your DNS entry, you can convince Microsoft that you are supposed to be the admin. The process asks you to add a TXT record to the DNS entry for your domain and then grants you admin rights for the shadow domain once you have done that.

You are still on a big ship, but now you are the captain.

So I first created a new admin on the vowenet.onmicrosoft.com domain, then deleted my original admin and the domain. Finally, I was free again.

Be careful though. A big ship has lots of buttons and dials. Don't make yourself captain if you don't know how to operate a big ship.

Comments

captian (spelling)

Ron Wayne, 2018-08-12

I always hated that viral tenant scenario and I asked Microsoft if they would also create viral tenants for domains like google.com, gmx.de and alike. The answer was that there is a nondisclosed blacklist ...

But I have the feeling that viral tenant creation will go away eventually - e.g. SharePoint sharing via secure links works with any mail account and does not create a viral tenant. Better.

Tobias Zuegel, 2018-08-13

Recent comments

Sven Thomsen on Viele neue Echos :: Amazon rüstet massiv auf at 07:55
Jonas Rathert on Critical Intel Thunderbolt Software and Firmware Updates - ThinkPad at 12:29
Manfred Wiktorin on Beats Solo Pro with ANC at 10:33
Tim Bellinghausen on Losing your laptop at 10:17
Andreas Kurtz on Losing your laptop at 08:28
Philipp Haun on Losing your laptop at 06:40
Volker Butterstein on Share music on two headphones from iPhone at 06:36
Maximilian von Hulewicz on Beats Solo Pro with ANC at 11:18
Maximilian von Hulewicz on Google Pixel 4 vorgestellt at 11:17
Felix Binsack on Beats Solo Pro with ANC at 10:54
Volker Weber on Beats Solo Pro with ANC at 23:33
Adrian Woizik on Beats Solo Pro with ANC at 23:08
Volker Weber on Beats Solo Pro with ANC at 22:42
Adrian Woizik on Beats Solo Pro with ANC at 22:40
Enrico Lippmann on Google Pixel 4 vorgestellt at 14:40
Felix Binsack on Beats Solo Pro with ANC at 13:23
Volker Weber on Beats Solo Pro with ANC at 09:02
Johannes Matzke on Beats Solo Pro with ANC at 09:00
Thomas Cloer on Google Pixel 4 vorgestellt at 08:17
Volker Weber on Fritz!Fon C4, C5 und C6 :: Stuff that works at 20:08
Maik Endler on Fritz!Fon C4, C5 und C6 :: Stuff that works at 20:05
Andreas Krümmel on Fritz!Fon C4, C5 und C6 :: Stuff that works at 11:36
Hubert Stettner on Fritz!Fon C4, C5 und C6 :: Stuff that works at 11:24
Eric Bredtmann on Fritz!Fon C4, C5 und C6 :: Stuff that works at 07:53
Volker Weber on Fritz!Fon C4, C5 und C6 :: Stuff that works at 23:17

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 21:22

visitors.gif

buy me coffee

Paypal vowe