Introduction
When you setup Azure Stack in a connected scenario with Azure Active Directory (AAD), you get several applications registered in Azure AD.
If you are an Azure Stack admin that is constantly trying out new things, and especially using Azure Stack Development Kit (ASDK), you will end-up with multiple Azure Stack AD Applications from previous deployments in the Azure Portal similar to the screenshot below:
Each time you deploy Azure Stack, the deployment will create 18 Applications in Azure Active Directory as follows:
- Azure Stack
- Aure Stack – Administration
- Azure Stack – Bridge
- Azure Stack – Compute
- Azure Stack – Deployment
- Azure Stack – Hubs
- Azure Stack – Hubs Administration
- Azure Stack – KeyVault
- AzureStack KeyVault Internal
- Azure Stack – Monitoring
- Azure Stack – Monitoring Administration
- Azure Stack – Policy
- Azure Stack – Policy Administration
- Azure Stack – Portal
- Azure Stack – Portal Administration
- Azure Stack – RBAC
- Azure Stack – RBAC Administration
- Azure Pack Connector
You may want to clean up old and unused Azure AD applications in your development tenant. In my case, I wanted to remove every single one.
In this quick blog post, I will show you how to identify which Azure Stack AD applications belong to the current Azure Stack deployment, and finally remove the old deployments.
WARNING! The details below are not officially supported and provided without warranty of any kind. Please contact Microsoft for official support.
Get the current Azure Stack Deployment
In Step 1, we need to find the latest Azure Stack Deployment ID that is currently in use.
For Azure Stack Development Kit (ASDK), you need to open an elevated PowerShell console and run the following command on the Hyper-V host:
As for Azure Stack Integrated Systems, you need to work with Microsoft support to get access on the Privilege Endpoint (ERC) VM.
#Step 1 - Find the current Azure Stack Deployment ID
$cred = (Get-Credential -Credential AzureStack\AzureStackAdmin)
$ErcsVM = (Get-VM -Name AzS-ERCS* | Get-VMNetworkAdapter).IPAddresses | where { $_ -match "\." }
$Session = New-PSSession -ComputerName $ErcsVM -ConfigurationName PrivilegedEndpoint -Credential $cred
Invoke-Command -Session $Session -ScriptBlock {
Get-AzureStackStampInformation
#Note the DeploymentID output E.g. 15f21183-07e8-4b74-9b6f-09f1ab6aa710
}
Get-PSSession | Remove-PSSession
The output will look something similar to this one, but the DeploymentID will be different.
Identify Azure Stack AD Applications
In step 2, you need to login to Azure AD and identify what AD Applications are being used by Azure Stack.
Open an elevated PowerShell console and run the following command. Make sure to update “https://*/DeploymentID” to match your deployment.
#Step 2 - Use the DeploymentID to identify what Azure Stack AD Applications are being used and which are not
Login-AzureRmAccount -EnvironmentName "AzureCloud"
$AADApp = Get-AzureRmADApplication
$AADApp | Where-Object {$_.IdentifierUris -like "https://*/15f21183-07e8-4b74-9b6f-09f1ab6aa710"} | Format-Table DisplayName, IdentifierUris
The output will look something similar to this one.
If you want to identify the old Azure Stack AD Applications that are NOT currently being used, you can run the following command:
$AADApp | Where-Object {($_.IdentifierUris -notlike "https://*/15f21183-07e8-4b74-9b6f-09f1ab6aa710" -and $_.DisplayName -match "Stack") -or ($_.IdentifierUris -notlike "https://*/15f21183-07e8-4b74-9b6f-09f1ab6aa710" -and $_.DisplayName -match "Pack")} | Format-Table DisplayName, IdentifierUris
Remove Azure Stack AD Applications
In the last step, we need to remove and delete the older Azure Sack AD Applications.
Azure Stack use AD applications that are configured for multi-tenancy support, and they are available for other tenants to be used as shown in the following screenshot.
In order to do so, we need to set AvailableToOtherTenants parameter to False otherwise you will receive an error message similar to this one:
Remove-AzureRmADApplication : Deletion of multi-tenant application is currently not supported.
Open an elevated PowerShell console and run the following command. Make sure to update “https://*/DeploymentID” to match your deployment.
#Step 3 - Remove all Azure Stack AD Applications that are not in use anymore
$AADApp = Get-AzureRmADApplication
$AppsToRemove = $AADApp | Where-Object {($_.IdentifierUris -notlike "https://*/15f21183-07e8-4b74-9b6f-09f1ab6aa710" -and $_.DisplayName -match "Stack") -or ($_.IdentifierUris -notlike "https://*/15f21183-07e8-4b74-9b6f-09f1ab6aa710" -and $_.DisplayName -match "Pack"}
# List the AD Applications to be sure you are removing the desired Apps only
$AppsToRemove | Format-Table DisplayName, IdentifierUris, ObjectId
# Remove AzureStack AD Applications
foreach ($App in $AppsToRemove)
{
Set-AzureRmADApplication -ObjectId $App.ObjectId -AvailableToOtherTenants $false
Remove-AzureRmADApplication -ObjectId $App.ObjectId -Force -Confirm:$false
}
If you switch back to the Azure Portal now, you will see only 18 Applications.
Hope this helps!
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
