Recovering Azure Active Directory after deleting ADFS trust relationship

StackOverflow https://stackoverflow.com/questions/21855938

Question

I previously created (successfully) a Windows Azure Active Directory, added a custom domain, and configured it for both single sign-on and directory synchronization using an on-premise ADFS2.0 server. So far so good.

Having realised I should have attached the custom domain to an existing WAAD rather than the new one, I then decided to delete the new one. To ensure there was no risk of deleting any objects in the on-premise AD, I first deleted the trust relationship on our on-premise ADFS server.

Unfortunately, this has now left me in a situation where I'm unable to use the Azure Active Directory PowerShell cmdlets to manage the WAAD - Connect-MSOLService either returns "Exception of type 'Microsoft.Online.Administration.Automation.MicrosoftOnlineException' was thrown." if I use the Microsoft Account credentials of the subscription owner (but where the email address happens to be on the same domain as the custom domain I added), or "The user name or password is incorrect. Verify your user name, and then try again" if I use the credentials of another Global Administrator of that directory with an email address not on the custom domain.

Both sets of credentials allow logging in to the portal successfully.

Unfortunately I can't now delete the WAAD, because it contains objects - and without PowerShell access, I don't believe I can bulk delete the ~500 users and groups that got sync'd from on-premise before deleting the trust.

Any idea how I can either recover the trust relationship, connect successfully with PowerShell, or delete the unwanted directory?

Many thanks!

Was it helpful?

Solution

Try the following (I'm sure you've done most of this, but perhaps you missed a step):

  1. Log in to the Azure portal (https://manage.windowsazure.com) and navigate to ACTIVE DIRECTORY.
  2. Choose the directory that you aren't able to access via PowerShell and click ADD USER.
  3. Under 'TYPE OF USER', choose 'New user in your organization' and choose a username, under the initial domain (e.g. admin@contoso.onmicrosoft.com).
  4. Fill out the next page, and make sure you assign the role of 'Global Administrator'. Make sure you copy the password in the last step.
  5. Once the user is created, you need to reset the password. An easy way is to start a new browser session and navigate to https://portal.microsoftonline.com. You'll be prompted to reset the password.
  6. Now go to PowerShell and try Connect-MsolService using the new user account you just created. You should now be able to remove all objects.

A few notes:

  • Even if you are able to add a Microsoft Account (MSA) to your directory via the Azure portal, there is currently no support for using the user account for anything else, including PowerShell.
  • Every directory has an initial domain which ends in in '.onmicrosoft.com'.
  • You won't be able to remove a domain if there are any users using that domain. If this is not the case, you can remove the domain using the Azure portal ('DOMAINS' section) and simply forget about that directory.
  • As @Rick Rainey said, you can't currently remove a directory, but you can leave it empty.
  • Currently, DirSync is a one-way sync where everything is mastered on-premises.
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top