Taking over a Microsoft Azure Active Directory shadow tennant

by Volker Weber

Sketch

When you are invited as a guest into a Microsoft Team space and there is no Azure Active Directory tennant for your domain, as it wasn't for my domain, you will create a new user (and a domain) when you sign up. I was recently confused by that. I had just entered my personal credentials and it created a second user with the same name/password combination. One was a work account, the other a personal account. I could not really get rid of the the work account, because there was no admin for my domain. Imagine yourself on a big ship, without a crew.

Then I wanted to set up a free team myself but I could not. Microsoft had not planned for somebody with a work account he could not manage. I asked for help, but received an answer this could unfortunately not be done. That was the end of it.

Only, it wasn't.

Gregory told me to google for "IT admin takeover", and that leads to multiple documents, one of them being "Take over an unmanaged directory as administrator in Azure Active Directory". If you have control of your DNS entry, you can convince Microsoft that you are supposed to be the admin. The process asks you to add a TXT record to the DNS entry for your domain and then grants you admin rights for the shadow domain once you have done that.

You are still on a big ship, but now you are the captain.

So I first created a new admin on the vowenet.onmicrosoft.com domain, then deleted my original admin and the domain. Finally, I was free again.

Be careful though. A big ship has lots of buttons and dials. Don't make yourself captain if you don't know how to operate a big ship.

Comments

captian (spelling)

Ron Wayne, 2018-08-12

I always hated that viral tenant scenario and I asked Microsoft if they would also create viral tenants for domains like google.com, gmx.de and alike. The answer was that there is a nondisclosed blacklist ...

But I have the feeling that viral tenant creation will go away eventually - e.g. SharePoint sharing via secure links works with any mail account and does not create a viral tenant. Better.

Tobias Zuegel, 2018-08-13

Recent comments

Markus Philippi on iPhone drahtlos laden at 22:14
Markus Kriesten on iPhone drahtlos laden at 21:55
Volker Weber on New Apple Watch complications at 15:42
Robert Kurt on New Apple Watch complications at 15:25
Volker Weber on New Apple Watch complications at 14:22
Tobias Hauser on New Apple Watch complications at 14:16
Volker Weber on Apple Watch Activity Competition revisited #dontbreakthechain at 11:48
Ralph Inselsbacher on Apple Watch Activity Competition revisited #dontbreakthechain at 11:48
Nina Wittich on New Apple Watch complications at 11:43
Felix Kluge on iPhone drahtlos laden at 10:44
Volker Weber on iPhone drahtlos laden at 09:23
Frank Köhler on iPhone drahtlos laden at 08:59
Ingo Harpel on iPhone drahtlos laden at 07:47
Bernd Ries on Apple Watch Activity Competition revisited #dontbreakthechain at 05:02
Volker Weber on iPhone drahtlos laden at 23:24
Christian Hirth on iPhone drahtlos laden at 23:19
Volker Weber on iPhone drahtlos laden at 20:05
Stefan Dorscht on iPhone drahtlos laden at 19:42
Alexander Kluge on iPhone drahtlos laden at 19:24
Marc Henkel on Apple Watch Activity Competition revisited #dontbreakthechain at 11:48
Volker Weber on Android Enterprise Security Whitepaper at 11:16
Goetz Herzog on Just a silly wishlist for the next Macbook at 11:08
John Keys on Demnächst in diesem Theater :: Surface Go at 23:40
Johannes Koch on Android Enterprise Security Whitepaper at 22:05
Patric Stiffel on Demnächst in diesem Theater :: Surface Go at 22:00

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 05:26

visitors.gif

buy me coffee