Can't delete Azure Active Directory (AAD) with Visual Studio Team Services (VSTS) Enterprise Applications entries

[Updated August 3, 2018]

SYMPTOM: You have an Azure Active Directory (AAD) you'd like to delete. This directory was at one time used to back a Visual Studio Team Services (VSTS) account. You receive a message like this below when trying to delete the AAD and you are prevented from deleting it because there is a VSTS entry in it's Enterprise Applications list.

 

 

RESOLUTION: Assuming you've already removed the VSTS account from this AAD and satisfied all other criteria for deletion of an AAD, you should be able to delete it after manually disabling the VSTS Service Principal (SP) via PowerShell. The following explains how to do that.

*!*WARNING*!*
Only do this if you intend to delete the AAD
*!*WARNING*!*

  1. The following needs to be executed by a user who is native to the AAD (not invited into it) and who is a Global Admin in the AAD. You cannot do the following with a Microsoft Account. So first step if you don't have one of these already is to create a new user in the AAD and make that user a Global Admin.
  2. On an x64 Windows machine open an Admin Windows PowerShell prompt
  3. If you don't have the Azure Active Directory PowerShell for Graph already installed, we need to install it. Execute Install-Module -Name AzureAD to do this. This will download the Azure Active Directory PowerShell for Graph from the PowerShell Gallery. You may see prompts about installing NuGet and untrusted repository as pictured below.  If you run into issues please review the system requirements and information at the Azure Active Directory PowerShell for Graph page.
  4. Once the installation completes, execute Connect-AzureAD. You will be prompted to log in to the Azure AD. Be sure to use an ID that meets the criteria discussed in step 1. After connection you will see a printout listing Account, Environment, TenantId, etc. Make sure you’re in the correct Azure AD scope by checking that the TenantId reported inside the PowerShell prompt matches that of the Azure AD you’re trying to delete, as displayed in the Azure Portal.
  5. Execute Get-AzureADServicePrincipal | Remove-AzureADServicePrincipal.  This will generate errors for the SPs that cannot be removed, like "Message: Specified App Principal ID is Microsoft Internal." That's expected, but it will take out the VSTS entries. 
  6. Return to Portal.Azure.com and try to delete your AAD again. Remember to delete the new user you created in step 1, if you made one.

Hope this helps! :-)
--Trev

 


References: