Monday, December 21, 2015

Using PowerShell cmdlets to remove accounts in Azure Active Directory

I've been recently asked to perform cleanup in an Azure directory that had orphaned accounts that were left over from a previous DirSync.  What the client noticed was that the accounts that used to be associated with their on-prem domain were converted to Microsoft Azure Active Directory when the synchronization was removed.  

Most of the accounts that they wanted removed had the User Name format as:

The directory also had accounts with the format:

... which they did not want removed.

This particular directory did not have many accounts which meant manually remove them via the GUI was possible but I thought this would be a good opportunity to demonstrate how to use PowerShell cmdlets to filter and remove the accounts in bulk.

Begin by the launching WAAD (Windows Azure Active Directory) console execute Connect-MsolService and log in with the global or subscription admin account for the Azure Directory.

Once logged in, the cmdlet we'll be using to retrieve the set of users to be deleted is:


Note that every environment will be different so the following example will need to be tweaked accordingly.

The accounts I wanted to delete in this particular Azure directory all had the format but within these accounts, there was 1 administrative account that I did not want to delete.  This account was:

With the above 2 requirements in mind, the 2 filters I needed for the Get-MsolUser cmdlet would be:

where-object {$_.UserPrincipalName -like "*"} 
where-object {$_.UserPrincipalName -notlike "o365admin*"}

Combining the two filters together will create the following cmdlet:

Get-MsolUser | where-object {$_.UserPrincipalName -like "*"} | where-object {$_.UserPrincipalName -notlike "o365admin*"}

As mentioned earlier, every directory is unique and even if your environment matched this example, it is important to execute this cmdlet and review the returned accounts to verify no mistakes were made:

One of the annoyances I come across when working with PowerShell is that outputs such as the above tend to get truncated because of the length of the records so if you experience this, simply include the following at the end of the cmdlet:

| Format-Table -Wrap -AutoSize

The cmdlet would look as such:

Get-MsolUser | where-object {$_.UserPrincipalName -like "*"} | where-object {$_.UserPrincipalName -notlike "o365admin*"} | Format-Table -Wrap -AutoSize

The output would look as such:

Note that if the output above fills the screen buffer, you can pipe it to a txt file to review with:

> C:\userAccounts.txt 

Once you have verified that the accounts retrieved are the ones that can be safely deleted, proceed with appending the following cmdlet to the end:


Get-MsolUser | where-object {$_.UserPrincipalName -like "*"} | where-object {$_.UserPrincipalName -notlike "o365admin*"} | Remove-MsolUser -Force

You should now see the accounts removed in the Azure GUI once the cmdlet successfully completes:

1 comment:

Unknown said...

Needed to compose you a very little word to thank you yet again regarding the nice suggestions you’ve contributed here
Thank you. Your blog was very helpful and efficient For Me,Thanks for Sharing the information Regards Azure Online Course