/ Azure

Cleanup AzureAD Applications for Azure Stack

Recently, as I was trying out Azure Stack (which, by the way, looks promising in my sight), I had to repeat installation more than twice. At one time I had to format the whole machine because only 2 of the 11 required roles (Virtual Machines) could startup. Since the original setup had already succeeded, including the ability to send usage information to Azure using Azure Stack Bridge, there were two things I needed to clean up before a fresh setup; the Azure AD service principals and the Azure Bridge connection.

Disconnecting the Azure Bridge subscription can be done using a PowerShell command Remove-AzsRegistration as directed here. However, if you cannot run the command because certain roles are not running or have not access to the host machine at all. You can still delete the resource group.

Unfortunately, as of the time of this writing, there are no instructions about removing the service principals created in the Azure AD tenant. Did Microsoft forget this?

The first time I did the cleanup manually by deleting them one by one. The second time I could not stomach it so I wrote a script.

Things to note

  • The script requires a user with administrator role in the tenant
  • The service principals created have multi-tenancy enabled. Azure AD does not allow deleting applications with multi-tenancy enabled so you have to first disable it.
  • If you had opened the Azure Active Directory tab in azure portal, you will need to refresh the whole page after running the script.
  • The script can be run from any machine with PowerShell and Azure tools installed. This can be your development machine or your host machine.

The script

Param
(
    [String]
    [Parameter(Mandatory=$true)]
    $TenantId,

    [bool]
    $DisableMultiTenancy = $false
)

Connect-AzureAD -TenantId $TenantId

Write-Host "Finding applications matching 'Azure Stack' or 'AzureStack' or 'Azure Pack Connector'"
$Apps = Get-AzureADApplication | Where-Object { `
                                            ($_.DisplayName -match 'Azure Stack') `
                                        -or ($_.DisplayName -match 'AzureStack') `
                                        -or ($_.DisplayName -match 'Azure Pack Connector')
                                    ` }

$ToRemoveCount = $Apps.Count
Write-Host "Found $ToRemoveCount apps to remove"

if ($ToRemoveCount -gt 0)
{
    if ($DisableMultiTenancy -eq $true)
    {
        Write-Host "Disabling multi-tenancy ..."
        $Apps | % { Set-AzureADApplication -ObjectId $_.ObjectId -AvailableToOtherTenants $false }
    }

    Write-Host "Removing applications ..."
    $Apps | % { Remove-AzureADApplication -ObjectId $_.ObjectId }
}

Write-Host "Completed!"

Running the script

Assuming you have saved the script locally on your machine:

  1. Open a PowerShell window
  2. Navigate to the folder where you saved the script
  3. Execute the command below:
#Set the tenantId e.g. contoso.onmicrosoft.com or contoso.com
$TenantId = "<yourtenant>.onmicrosoft.com"
.\MyScriptName.ps1 -TenantId "$TenantId -DisableMultiTenancy

You will be prompted to sign in to your tenant with an account having administrative rights. You should expect the following output:

Finding applications matching 'Azure Stack' or 'AzureStack' or 'Azure Pack Connector'
Found 18 apps to remove
Disabling multi-tenancy ...
Removing applications ....
Completed!

That's all. Happy hacking