It’s been a while since I posted last. Basically, I took off the month of May, leaving my role at AvePoint and starting a new role at Avanade in June. Time to catch up on some of my development environments, starting with CRIKEY O’REILLY MY AZURE SPEND !!!
Just kidding, it’s not terrible, but it’s quite a bit higher than I’d expected. But why? I haven’t fired up my sole VM in weeks, and without that, there’s really not a lot of activity.
Waitaminute . . . what’s the techlemode.com contributing to over three-quarters of the spend?
Right. Just before I set off for my May holiday, I’d added a custom domain to my Azure AD. Basically, I wanted to test out logging in to my virtual machine, as well as one of its applications, using a domain identity.
Guess what? It worked. In my simple little development environment, I configured a custom domain name to my Azure AD, and from there was able to use user@techlemode.com identities. Mission accomplished.
What I didn’t know was how much it would cost, and in any case, having tested it out, I didn’t really need it any more. So, just delete, right? Ha ha, nope.
The first step was to role back the primary domain used in Azure AD:
When you set up your domain, there are some steps you take to verify your domain with Azure AD. Apologies for not taking pix of that process, but basically you’ll make some changes to your DNS record, and then verify in the Azure portal. Once that is done, that domain shows up as Verified in Azure Active Directory, under Custom Domain Names.
While multiple domains are available or verified, only one can be the primary. To keep things neat, I rolled back to my onmicrosoft.com as the primary.
Of course, this is after I made sure I didn’t require an @techlemode.com domain to access anything. Since I’d started without it, that was easy.
I was able to delete the Azure AD domain service, but there was one little detail: a separate AADDS Network Security Group (NSG), which added some rules that AADDS needed. Just to keep things clean, I wanted to delete it, but I kept running into this error:
AADDS-techlemode.com-NSG: Network security group /subscriptions/[SUBSCRIPTION-REDACTED]/resourceGroups/demo-purpose/providers/Microsoft.Network/networkSecurityGroups/AADDS-techlemode.com-NSG cannot be deleted because it is in use by the following resources: /subscriptions
[SUBSCRIPTION-REDACTED]/resourceGroups/demo-purpose/providers/Microsoft.Network/virtualNetworks/demo-purpose-vnet/subnets/default. In order to delete the Network security group, remove the association with the resource(s). To learn how to do this, see aka.ms/deletensg. (Code: InUseNetworkSecurityGroupCannotBeDeleted)
I went ’round a few times, looking at it in my resource group. It’s not pictured below, because I took the picture after the fact, but still – if it was listed there, just like the CG-Demo-nsg, why couldn’t I delete it?
Ultimately, I had to dissociate the NSG from the network. That was something I couldn’t do from the NSG, or the Resource Group, or even the virtual network . I had to go to the Network Interface itself – the example here is from a different NSG, but the same basic action.
With that, my experiment with adding a customer domain came to an end.
That said, in my new role at Avanade, I’ll be setting up a new Azure environment and will likely step through the custom domain process again – so you’ll get a chance to see what that looks like.