Deleting users in Azure Active Directory (Office365) is a more radical action than deprovisioning them.  Everybody’s deprovisioning process often differs in at least some small way.  It’s usually something like disabling users and moving them to a special area in your directory.  Then your deprovisioned users are “out of the way” and can be more easily purged later.  Still, deleting can be a handy function even if you only delegate the function for yourself to use or other administrators.  It can also be used to purge those deprovisioned users who have been hanging out in your directory for a while.

Deleting Users in Azure Active Directory Using PowerShell

The following is an example of a script that deletes a user in Azure Active Directory.  It doesn’t use the old “Msol” PowerShell libraries which are now superseded by what Microsoft calls the “V2” PowerShell libraries.  (See https://docs.microsoft.com/en-us/powershell/module/msonline/?view=azureadps-1.0).  The script below assumes a valid service account username/password.

Import-Module -Name AzureAD
$yourusername = "admin@yourtenant.onmicrosoft.com"
$yourpassword = "Passw0rd1"
$yourtenant = "yourtenant.onmicrosoft.com"
$Office365PasswordEncrypted = ConvertTo-SecureString $yourpassword -AsPlainText -Force
$O365UserCredentials = New-Object System.Management.Automation.PSCredential ($yourusername, $Office365PasswordEncrypted)
$null = Connect-AzureAD -Tenant $yourtenant -Credential $O365UserCredentials
$htfilters = @{"userprincipalname" = "user@yourtenant.onmicrosoft.com"}
$htDuplicateCompare.GetEnumerator() | ForEach-Object {
$ExtensibleParams = "{0}({1} eq '{2}') and " -f $ExtensibleParams,$_.Key,$_.Value
}
$ExtensibleParams = $ExtensibleParams.Substring(0, $ExtensibleParams.Length-5)
Write-Output "Checking for user. Filter: $ExtensibleParams"
$existingobj = Get-AzureADuser -Filter $ExtensibleParams
if ($existingobj -ne $null) {
Remove-AzureAdUser -ObjectId $existingobj.ObjectId
}


The neat part of this script is the “htfilters” hashtable can be constructed dynamically to find the user to delete.  One of the main limitations of this script is the ability to gather user input to make it work dynamically.  Delegating execution via a web interface to get input there involves writing a lot of other kinds of code.  Scripts are notoriously difficult to maintain.  Distributing them and trusting others to use them is an entirely different subject.

Deleting Users in Azure Active Directory with Web Active Directory’s PeopleUpdate

The web interface, safe delegation, and more are taken care of by PeopleUpdate.  PeopleUpdate is part of PeoplePlatform, a comprehensive identity management solution that works across multiple directory platforms.

For this example, you can construct and configure (without scripting) a user interface to find users on Azure Active Directory and select one or more for deletion.  A history is kept of these actions.  You also have the option of simultaneously deleting users in other systems such as G Suite or Active Directory in real-time without the burden of a sync.  This simultaneous deleting saves a lot of keystrokes.

You can also configure notifications that get sent when these actions are taken.  That way, if you did delegate such a powerful function to someone else you’d know exactly when and how it was being used.