In This Article

Introduction

When you setup Azure Stack in a connected scenario with Azure Active Directory (AAD), you get several applications registered in Azure AD.

If you are an Azure Stack admin that is constantly trying out new things, and especially using Azure Stack Development Kit (ASDK), you will end-up with multiple Azure Stack AD Applications from previous deployments in the Azure Portal similar to the screenshot below:

Each time you deploy Azure Stack, the deployment will create 18 Applications in Azure Active Directory as follows:

Azure Stack
Aure Stack – Administration
Azure Stack – Bridge
Azure Stack – Compute
Azure Stack – Deployment
Azure Stack – Hubs
Azure Stack – Hubs Administration
Azure Stack – KeyVault
AzureStack KeyVault Internal
Azure Stack – Monitoring
Azure Stack – Monitoring Administration
Azure Stack – Policy
Azure Stack – Policy Administration
Azure Stack – Portal
Azure Stack – Portal Administration
Azure Stack – RBAC
Azure Stack – RBAC Administration
Azure Pack Connector

You may want to clean up old and unused Azure AD applications in your development tenant. In my case, I wanted to remove every single one.

In this quick blog post, I will show you how to identify which Azure Stack AD applications belong to the current Azure Stack deployment, and finally remove the old deployments.

WARNING! The details below are not officially supported and provided without warranty of any kind. Please contact Microsoft for official support.

Get the current Azure Stack Deployment

In Step 1, we need to find the latest Azure Stack Deployment ID that is currently in use.

For Azure Stack Development Kit (ASDK), you need to open an elevated PowerShell console and run the following command on the Hyper-V host:

As for Azure Stack Integrated Systems, you need to work with Microsoft support to get access on the Privilege Endpoint (ERC) VM.

#Step 1 - Find the current Azure Stack Deployment ID
$cred = (Get-Credential -Credential AzureStack\AzureStackAdmin)
$ErcsVM = (Get-VM -Name AzS-ERCS* | Get-VMNetworkAdapter).IPAddresses | where { $_ -match "\." }
$Session = New-PSSession -ComputerName $ErcsVM -ConfigurationName PrivilegedEndpoint -Credential $cred

Invoke-Command -Session $Session -ScriptBlock {
Get-AzureStackStampInformation
#Note the DeploymentID output E.g. 15f21183-07e8-4b74-9b6f-09f1ab6aa710
}

Get-PSSession | Remove-PSSession

The output will look something similar to this one, but the DeploymentID will be different.

Identify Azure Stack AD Applications

In step 2, you need to login to Azure AD and identify what AD Applications are being used by Azure Stack.

Open an elevated PowerShell console and run the following command. Make sure to update “https://*/DeploymentID” to match your deployment.

#Step 2 - Use the DeploymentID to identify what Azure Stack AD Applications are being used and which are not
Login-AzureRmAccount -EnvironmentName "AzureCloud"
$AADApp = Get-AzureRmADApplication
$AADApp | Where-Object {$_.IdentifierUris -like "https://*/15f21183-07e8-4b74-9b6f-09f1ab6aa710"} | Format-Table DisplayName, IdentifierUris

The output will look something similar to this one.

If you want to identify the old Azure Stack AD Applications that are NOT currently being used, you can run the following command:

$AADApp | Where-Object {($_.IdentifierUris -notlike "https://*/15f21183-07e8-4b74-9b6f-09f1ab6aa710" -and $_.DisplayName -match "Stack") -or ($_.IdentifierUris -notlike "https://*/15f21183-07e8-4b74-9b6f-09f1ab6aa710" -and $_.DisplayName -match "Pack")} | Format-Table DisplayName, IdentifierUris

Remove Azure Stack AD Applications

In the last step, we need to remove and delete the older Azure Sack AD Applications.

Azure Stack use AD applications that are configured for multi-tenancy support, and they are available for other tenants to be used as shown in the following screenshot.

In order to do so, we need to set AvailableToOtherTenants parameter to False otherwise you will receive an error message similar to this one:

Remove-AzureRmADApplication : Deletion of multi-tenant application is currently not supported.

Open an elevated PowerShell console and run the following command. Make sure to update “https://*/DeploymentID” to match your deployment.

#Step 3 - Remove all Azure Stack AD Applications that are not in use anymore
$AADApp = Get-AzureRmADApplication
$AppsToRemove = $AADApp | Where-Object {($_.IdentifierUris -notlike "https://*/15f21183-07e8-4b74-9b6f-09f1ab6aa710" -and $_.DisplayName -match "Stack") -or ($_.IdentifierUris -notlike "https://*/15f21183-07e8-4b74-9b6f-09f1ab6aa710" -and $_.DisplayName -match "Pack"}

# List the AD Applications to be sure you are removing the desired Apps only 
$AppsToRemove | Format-Table DisplayName, IdentifierUris, ObjectId

# Remove AzureStack AD Applications 
foreach ($App in $AppsToRemove)
{
  Set-AzureRmADApplication -ObjectId $App.ObjectId -AvailableToOtherTenants $false
  Remove-AzureRmADApplication -ObjectId $App.ObjectId -Force -Confirm:$false
}

If you switch back to the Azure Portal now, you will see only 18 Applications.

Hope this helps!

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

How To Remove #AzureStack AD Applications From Azure Active Directory with PowerShell #AzureAD #ASDK

Share this post:

Introduction

Get the current Azure Stack Deployment

Identify Azure Stack AD Applications

Remove Azure Stack AD Applications

Let me know what you think, or ask a question... Cancel reply

Share this post:

Introduction

Get the current Azure Stack Deployment

Identify Azure Stack AD Applications

Remove Azure Stack AD Applications

How To Create Recovery Services Vault in Azure with PowerShell #AzureBackup #CDCGermany

How To Backup SQL Server Named Instance To Azure Blob Storage #Azure #SQLServer #AzureStorage

Let me know what you think, or ask a question... Cancel reply

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!