Have you been invited to someone’s Azure tenant as an admin? Did you do the work and left, but are you still seeing the tenant? Or did you quit, only to find the tenant still staring at you in the Azure portal? Can’t be invited to Azure tenants, because you’re already invited to about 20 tenants?
Frustrating, I know.
… But now there’s a solution!
People can now self-service leave an organization they were invited in. This feature was announced on May 14, 2018 in a blogpost dedicated to all the new stuff in Azure AD B2B by Alex Simons. While the blogpost aims at user access, this news is great news for admins who were invited to ‘Hotel California’-style Azure AD tenants.
About Self-Service leaving an organization
This feature is good news for anyone who is invited to any organization and/or tenant with either their Office 365 (“work or school”) account or Microsoft (“personal”) account, because he or she can now easily leave an organization to which he or she has been invited, once his or her relationship with that organization has come to an end. It’s no longer necessary to contact an admin of the inviting organization to have his or her account removed.
Before this feature was released, admins couldn’t delete their own guest accounts from Azure Active Directory tenants, and needed to contact another global admin in the Azure tenant to perform this action. Many times, Conditional Access rules wouldn’t even permit access to the Azure Portal when not present at the organization’s location(s).
A positive effect of GDPR
Many people aren’t too happy with Europe’s General Data Protection Regulation (GDPR). Of course, it entails work for many organizations who haven’t been up to spec for the last couple of years and are only scrambling to comply because sanctions will apply starting May 25, 2018.
However, this feature was introduced to meet the requirements in Europe’s General Data Protection Regulation (GDPR), where Article 17 provides people the right to erasure, also referred to as the right to be forgotten.
An Azure Active Directory (Azure AD) B2B guest user can decide to leave an organization at any time if they no longer need to use apps from that organization or maintain any association.
When a user leaves an organization, the user account is “soft deleted” in the directory. By default, the user object moves to the Deleted users state in Azure AD but is not permanently deleted for 30 days. This soft deletion enables the administrator to restore the user account (including groups and permissions), if the user makes a request to restore the account within the 30-day period.
How to leave a lingering organization
To leave an organization, perform these steps:
- Log into the Access Panel at https://myapps.microsoft.com
- In the upper-right corner, select your name.
- Next to Organizations, select the settings icon (gear).
If you can’t see the settings icon (gear), widen the browser screen. The Access Panel user interface is a reactive interface that adepts to the width of the screen. If the screen is too narrow, a hamburger menu will be shown. In this menu, the settings icon (gear) is not (yet) present.
- Under Organizations, find the organization that you want to leave, and select Leave organization. If you’re not already signed in to the organization that you want to leave, select your name in the upper-right corner, and click the organization you want to leave or follow the Sign in to leave organization link and repeat the last two steps.
- When asked to confirm, select Leave.
Repeat the steps above to leave the organizations you want to leave and keep the organizations you want to keep.
My Microsoft account had hit the limit of 23 Azure AD tenants and couldn’t be used to redeem invitations from other organizations. This account had a couple of lingering tenants it was invited to, but was never removed from, by other admins.
These lingering tenants were all customers from previous employers, who restricted me from having any contact with them through anti-compete clauses.
So long and thanks for all the fish!