How To Remove #AzureStack AD Applications From #Azure Active Directoy with #PowerShell #AzureAD #ASDK

4 min read


When you setup Azure Stack in a connected scenario with Azure Active Directory (AAD), you get several applications registered in Azure AD.

If you are an Azure Stack admin that is constantly trying out new things, and especially using Azure Stack Development Kit (ASDK), you will end-up with multiple Azure Stack AD Applications from previous deployments in the Azure Portal similar to the screenshot below:

Each time you deploy Azure Stack, the deployment will create 18 Applications in Azure Active Directory as follows:

  • Azure Stack
  • Aure Stack – Administration
  • Azure Stack – Bridge
  • Azure Stack – Compute
  • Azure Stack – Deployment
  • Azure Stack – Hubs
  • Azure Stack – Hubs Administration
  • Azure Stack – KeyVault
  • AzureStack KeyVault Internal
  • Azure Stack – Monitoring
  • Azure Stack – Monitoring Administration
  • Azure Stack – Policy
  • Azure Stack – Policy Administration
  • Azure Stack – Portal
  • Azure Stack – Portal Administration
  • Azure Stack – RBAC
  • Azure Stack – RBAC Administration
  • Azure Pack Connector

You may want to clean up old and unused Azure AD applications in your development tenant. In my case, I wanted to remove every single one.

In this quick blog post, I will show you how to identify which Azure Stack AD applications belong to the current Azure Stack deployment, and finally remove the old deployments.

WARNING! The details below are not officially supported and provided without warranty of any kind. Please contact Microsoft for official support.

Get the current Azure Stack Deployment

In Step 1, we need to find the latest Azure Stack Deployment ID that is currently in use.

For Azure Stack Development Kit (ASDK), you need to open an elevated PowerShell console and run the following command on the Hyper-V host:

As for Azure Stack Integrated Systems, you need to work with Microsoft support to get access on the Privilege Endpoint (ERC) VM.

#Step 1 - Find the current Azure Stack Deployment ID
$cred = (Get-Credential -Credential AzureStack\AzureStackAdmin)
$ErcsVM = (Get-VM -Name AzS-ERCS* | Get-VMNetworkAdapter).IPAddresses | where { $_ -match "\." }
$Session = New-PSSession -ComputerName $ErcsVM -ConfigurationName PrivilegedEndpoint -Credential $cred

Invoke-Command -Session $Session -ScriptBlock {
#Note the DeploymentID output E.g. 15f21183-07e8-4b74-9b6f-09f1ab6aa710

Get-PSSession | Remove-PSSession

The output will look something similar to this one, but the DeploymentID will be different.

Identify Azure Stack AD Applications

In step 2, you need to login to Azure AD and identify what AD Applications are being used by Azure Stack.

Open an elevated PowerShell console and run the following command. Make sure to update “https://*/DeploymentID” to match your deployment.

#Step 2 - Use the DeploymentID to identify what Azure Stack AD Applications are being used and which are not
Login-AzureRmAccount -EnvironmentName "AzureCloud"
$AADApp = Get-AzureRmADApplication
$AADApp | Where-Object {$_.IdentifierUris -like "https://*/15f21183-07e8-4b74-9b6f-09f1ab6aa710"} | Format-Table DisplayName, IdentifierUris

The output will look something similar to this one.

If you want to identify the old Azure Stack AD Applications that are NOT currently being used, you can run the following command:

$AADApp | Where-Object {($_.IdentifierUris -notlike "https://*/15f21183-07e8-4b74-9b6f-09f1ab6aa710" -and $_.DisplayName -match "Stack") -or ($_.IdentifierUris -notlike "https://*/15f21183-07e8-4b74-9b6f-09f1ab6aa710" -and $_.DisplayName -match "Pack")} | Format-Table DisplayName, IdentifierUris

Remove Azure Stack AD Applications

In the last step, we need to remove and delete the older Azure Sack AD Applications.

Azure Stack use AD applications that are configured for multi-tenancy support, and they are available for other tenants to be used as shown in the following screenshot.

In order to do so, we need to set AvailableToOtherTenants parameter to False otherwise you will receive an error message similar to this one:

Remove-AzureRmADApplication : Deletion of multi-tenant application is currently not supported.

Open an elevated PowerShell console and run the following command. Make sure to update “https://*/DeploymentID” to match your deployment.

#Step 3 - Remove all Azure Stack AD Applications that are not in use anymore
$AADApp = Get-AzureRmADApplication
$AppsToRemove = $AADApp | Where-Object {($_.IdentifierUris -notlike "https://*/15f21183-07e8-4b74-9b6f-09f1ab6aa710" -and $_.DisplayName -match "Stack") -or ($_.IdentifierUris -notlike "https://*/15f21183-07e8-4b74-9b6f-09f1ab6aa710" -and $_.DisplayName -match "Pack"}

# List the AD Applications to be sure you are removing the desired Apps only 
$AppsToRemove | Format-Table DisplayName, IdentifierUris, ObjectId

# Remove AzureStack AD Applications 
foreach ($App in $AppsToRemove)
  Set-AzureRmADApplication -ObjectId $App.ObjectId -AvailableToOtherTenants $false
  Remove-AzureRmADApplication -ObjectId $App.ObjectId -Force -Confirm:$false

If you switch back to the Azure Portal now, you will see only 18 Applications.

Hope this helps!

Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

About Charbel Nemnom 560 Articles
Charbel Nemnom is a Cloud Architect, ICT Security Expert, Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems. Excellent communicator is adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design, business continuity, and cloud security.

Be the first to comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.