3 min. Read

When you set Azure-pino in a combined scenario with Azure Active Directory (AAD), you get multiple applications registered with Azure AD.

If you are an Azure Stack administrator who is constantly trying new things and especially using Azure Stack Development Kit (ASDK), you end up with several Azure Stack AD applications Azure portal similar to the screenshot below:

Every time you turn on Azure-pino, to create 18 applications for Azure Active Directory:

  • Azure-pino
  • Aure Stack – Administration
  • Azure-pino – bridge
  • Azure stack – Count
  • Azure Stack – Deployment
  • Azure stack – hubs
  • Azure Stack – hub management
  • Azure-stack – KeyVault
  • AzureStack KeyVault Internal
  • Azure stack – tracking
  • Azure Stack – Management control
  • Azure stack – practice
  • Azure stack – policy management
  • Azure-stack – portal
  • Azure Stack Portal Management
  • Azure-pino – RBAC
  • Azure stack – RBAC management
  • Azure Pack connector

You may want to clean up old and unused Azure AD applications from your developer. In my case, I wanted to delete everyone.

In this shortcut, I’ll show you how to identify which Azure Stack AD applications are part of your current Azure Stack installation, and finally remove the old deployments.

WARNING! The details below are not officially supported and are not provided without warranty of any kind. Contact Microsoft for official support.

In Phase 1, we need to find the latest Azure stack Deployment ID which is currently in use.

In the Azure Stack Development Kit (ASDK), you must open the elevated PowerShell console and run the following command on the Hyper-V host:

For Azure Stack integrated systems, you must work with Microsoft Support to gain access to the ERC (Privilege Endpoint) VM.

#Step 1 - Find the current Azure Stack Deployment ID
$cred = (Get-Credential -Credential AzureStackAzureStackAdmin)
$ErcsVM = (Get-VM -Name AzS-ERCS* | Get-VMNetworkAdapter).IPAddresses | where { $_ -match "." }
$Session = New-PSSession -ComputerName $ErcsVM -ConfigurationName PrivilegedEndpoint -Credential $cred

Invoke-Command -Session $Session -ScriptBlock {
Get-AzureStackStampInformation
#Note the DeploymentID output E.g. 15f21183-07e8-4b74-9b6f-09f1ab6aa710
}

Get-PSSession | Remove-PSSession

The result looks something like this, but DeploymentID is different.

#Removing AzureStack AD Applications from Azure Active Directory with PowerShell #AzureAD #ASDK 2

In step 2, you must log in to Azure AD and identify which AD applications Azure Stack uses.

Open the elevated PowerShell console and run the following command. Be sure to upgrade “Https: // * / DeploymentID” to match the deployment.

#Step 2 - Use the DeploymentID to identify what Azure Stack AD Applications are being used and which are not
Login-AzureRmAccount -EnvironmentName "AzureCloud"
$AADApp = Get-AzureRmADApplication
$AADApp | Where-Object {$_.IdentifierUris -like "https://*/15f21183-07e8-4b74-9b6f-09f1ab6aa710"} | Format-Table DisplayName, IdentifierUris

The result looks something like this.

#Removing AzureStack AD Applications from Azure Active Directory with PowerShell #AzureAD #ASDK 3

If you want identify old Azure Stack AD applications that are NOT currently in use, you can run the following command:

$AADApp | Where-Object {($_.IdentifierUris -notlike "https://*/15f21183-07e8-4b74-9b6f-09f1ab6aa710" -and $_.DisplayName -match "Stack") -or ($_.IdentifierUris -notlike "https://*/15f21183-07e8-4b74-9b6f-09f1ab6aa710" -and $_.DisplayName -match "Pack")} | Format-Table DisplayName, IdentifierUris

In the final step, we need to uninstall and remove the older Azure Sack AD apps.

Azure Stack uses AD applications that are configured for multi-lease support and are available for other tenants to use as shown in the following screenshot.

#Removing AzureStack AD Applications from Azure Active Directory with PowerShell #AzureAD #ASDK 4

In order to do that, we need to set AvailableToOtherTenants parameter Wrong otherwise, you will receive a similar error message:

Remove-AzureRmADApplication: Removing multiple tenant applications is not currently supported.

Open the elevated PowerShell console and run the following command. Be sure to upgrade “Https: // * / DeploymentID” to match the deployment.

#Step 3 - Remove all Azure Stack AD Applications that are not in use anymore
$AADApp = Get-AzureRmADApplication
$AppsToRemove = $AADApp | Where-Object {($_.IdentifierUris -notlike "https://*/15f21183-07e8-4b74-9b6f-09f1ab6aa710" -and $_.DisplayName -match "Stack") -or ($_.IdentifierUris -notlike "https://*/15f21183-07e8-4b74-9b6f-09f1ab6aa710" -and $_.DisplayName -match "Pack"}

# List the AD Applications to be sure you are removing the desired Apps only 
$AppsToRemove | Format-Table DisplayName, IdentifierUris, ObjectId

# Remove AzureStack AD Applications 
foreach ($App in $AppsToRemove)
{
  Set-AzureRmADApplication -ObjectId $App.ObjectId -AvailableToOtherTenants $false
  Remove-AzureRmADApplication -ObjectId $App.ObjectId -Force -Confirm:$false
}

If you switch back Azure portal now you only see 18 apps.

#Removing AzureStack AD Applications from Azure Active Directory with PowerShell #AzureAD #ASDK 5

Hopefully this will help!

__
Thanks for locking my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

LEAVE A REPLY

Please enter your comment!
Please enter your name here