Share via

Unable to delete CIAM directory resource – tenant never provisioned, cannot elevate permissions, support blades fail

Tim Salmon 30 Reputation points
2026-03-01T17:24:12.53+00:00

I have a CIAM directory resource in my Azure subscription that was created in a failed or incomplete state. The ARM resource exists, but the corresponding Entra tenant never provisioned. Because of this, I cannot switch into the directory, cannot elevate myself to Global Administrator, and cannot delete the resource.

Attempts to delete the CIAM directory resource return:

“(Forbidden) You don’t have access. Only Global Administrators for this directory can manage its settings.”

However, the directory does not appear in my tenant list, and there is no way to become a Global Administrator of it because the tenant itself does not exist.

Additional symptoms:

The Entra portal cannot load support or troubleshooting blades (ErrorLoadingExtensionAndDefinition).

The Azure Portal support request flow fails to load.

I am using a Microsoft Personal Account, and Microsoft no longer allows MSAs to create Entra tenants, so I cannot create a work/school account to open a support ticket.

The resource group cannot be deleted because the CIAM directory resource blocks deletion.

Azure CLI deletion fails with the same “Only Global Administrators…” error.

The CIAM directory does not appear in az account tenant list.

This appears to be a stranded CIAM directory resource that requires backend removal by Microsoft.

Resource ID:

Code

/subscriptions/<pii removed>/resourceGroups/WebTramplerDevInt/providers/Microsoft.AzureActiveDirectory/ciamDirectories/mywebappv3.onmicrosoft.com

Subscription ID: <PII REMOVED>

Could someone from Microsoft please escalate this to the identity engineering team to remove the stranded CIAM directory resource? I cannot delete it through any self-service method.

Thank you.

Microsoft Security | Microsoft Entra | Microsoft Entra External ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gulnaz Mushtaq 490 Reputation points MVP
    2026-03-01T19:46:23.4533333+00:00

    Because the authorization check happens inside the Entra service, not ARM. Only Microsoft backend engineers can resolve this. This requires a Microsoft Support backend ticket routed to Microsoft Entra ID/CIAM Engineering Backend Directory Provisioning Team. It looks like you are using a Microsoft Personal Account, and Microsoft no longer allows MSAs to create Entra tenants. However, there's no need to worry about creating a tenant just to open a subscription support case. Remember, support is linked to the subscription itself, not the tenant.

    How To Open a Support Case Without a Tenant

    Since portal support is failing to load, follow the steps below:

    Open

    https://portal.azure.com/#view/Microsoft_Azure_Support/HelpAndSupportBlade

    If that fails, use

    https://azure.microsoft.com/en-us/support/create-ticket/

    Sign in with your Microsoft account tied to the subscription.

    Select --> Issue type: Technical

    Service: Microsoft Entra ID

    Problem type: CIAM

    Severity: Minimal (or higher if blocking prod)

    If Entra ID is not selectable, choose:

    Service: Subscription Management

    Problem type: Other

    Explain clearly that a CIAM directory ARM resource exists without a provisioned Entra tenant and requires backend removal.

    I hope this works.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.