This article instructs you on how to delete the AD application created in Azure. The module Unregister-Cloudaware is to be executed in Azure Cloud Shell as well.

Prepare the environment where the module will be executed

  1. Log in to Azure portal.

  2. Click the Cloud Shell button in the menu bar. Select Power Shell.

  3. Log in Azure using the command below (the user should have the role 'Global Administrator' assigned on the Azure AD level):

    az login
    POWERSHELL

  4. Upload the file Unregister-Cloudaware.ps1

    mkdir cloudaware
    cd cloudaware
    curl -LJO https://raw.githubusercontent.com/cloudaware/public-utilities/master/PowerShell%20modules/Unregister-Cloudaware.ps1
    POWERSHELL

  5. Import the module Unregister-Cloudaware from the file Unregister-Cloudaware.ps1 for a current session:

    Import-Module -Name .\Unregister-Cloudaware.ps1 -Force
    POWERSHELL

Once these steps are performed, the module Unregister-Cloudaware is available in the current Azure Cloud Shell session. Using the module, you are able to delete the AD application created before.

Description of the module parameters

Parameters

Function


-name <NAME>

Name of the AD application to be deleted.

-name cloudaware-api-access
POWERSHELL


-withoutSubs

The switch allows to delete the AD application; no roles and/or the policy assigned to the AD application will be unassigned.

-withoutSubs
POWERSHELL


-dryRun

The switch allows to save the list of parameters and their values that will be used when deleting the AD application during the module Unregister-Cloudaware run.

The saved file will be available in the path ~\cloudaware\dryRunToDeleteApp_<USER_PRINCIPAL_NAME>_<APPLICATION_NAME>.json

-dryRun
POWERSHELL

Examples of the module execution

To output the information about the module Unregister-Cloudaware:

Get-Help Unregister-Cloudaware -Full 
POWERSHELL

To output the examples of the module Unregister-Cloudaware execution:

Get-Help Unregister-Cloudaware -Examples
POWERSHELL

To output the list of parameters and their description:

Get-Help Unregister-Cloudaware -Parameter *
POWERSHELL

Examples of the module Unregister-Cloudaware execution:

1. Launching the module in the command line using the AD application name and the switch -verbose. Use the switch -dryRun to save the parameters and their values that will be used to delete the AD application during the module run:

Unregister-Cloudaware -name cloudaware-api-access -dryRun -verbose
POWERSHELL

2. Launching the module in the command line using the AD application name and the switch -verbose. Use the switch -withoutSubs to allow deleting the AD application; no roles and/or the policy assigned to the AD application will be unassigned:

Unregister-Cloudaware -name cloudaware-api-access -withoutSubs -verbose
POWERSHELL

Troubleshooting

1. The error message below means that the user who logged in to Azure using az cli doesn't have the role 'Global Administrator' assigned on the AD level:

[2020-01-01 00:00:00] The user does not have the role 'Global administrator' assigned.
CODE


Steps to check and fix:

  1. Sign in to your Azure portal.

  2. On the left navigation panel, select All services.

  3. On the page in the All services search bar enter Users and choose it.

  4. In the search users bar enter the name of the current user and select it.

  5. On the page, select Assigned roles.

Learn more about Azure AD roles.

2. The error message below means that the AD application you are attempting to delete doesn't exist in Azure Active Directory:

[2020-01-01 00:00:00] The AD application 'cloudaware-api-access' does not exist.
CODE


Steps to check and fix:

  1. Sign in to your Azure portal.

  2. On the left navigation panel, select All services.

  3. On the page in the All services search bar enter App registrations and choose it.

  4. Select All Applications, and in the search bar enter the name of the app you used.

    Learn more about Application management.

3. The error message below means that the user doesn't have access to any Subscription ID(s) to unassign the roles and/or policy that are assigned to the AD application:

[2020-01-01 00:00:00] The user does not have any Subscription ID(s) to unassign roles and/or the policy that are assigned to the AD application 'cloudaware-api-access'.
CODE


Steps to check and fix:

  1. Sign in to your Azure portal.

  2. On the left navigation panel, select All services.

  3. On the page in the All services search bar enter Users and choose it.

  4. In the search users bar enter the name of the current user and select it.

  5. On the page, select Azure role assignments.

If you want to delete the AD application so that no roles and/or the policy assigned to it are unassigned, use the switch -withoutSubs.

Learn more about Azure RBAC.

4. The error message below means that no Service Principal Name(s) were found for the AD application you are attempting to delete or an issue occurred when extracting the Service Principal Name(s):

[2020-01-01 00:00:00] An error occurred while extracting Service Principal Name(s).
CODE


Steps to check and fix:

  1. Sign in to your Azure portal.

  2. On the left navigation panel, select All services.

  3. On the page in the All services search bar enter Enterprise applications and choose it.

  4. In the Application type list select All Applications and then click Apply button.

  5. In the search bar enter the name of the app you want to delete.

Temporary Internet connection issue may have occurred (if the module is run locally on your work station) - re-launch the module.

Learn more about Service Principal object

5. The error message below means that the user doesn't have the role 'Owner' to be able to unassign the role 'Reader' and/or the policy that are assigned to all or several of Subscription ID(s):

[2020-01-01 00:00:00] The Subscription ID(s) where the user doesn't have the role 'Owner' (RBAC) assigned to be able to delete roles/policy: ['00000000-0000-0000-0000-000000000000']
CODE


Steps to check and fix:

  1. Sign in to your Azure portal.

  2. On the left navigation panel, select All services.

  3. On the page in the All services search bar enter Users and choose it.

  4. In the search bar enter the name of the current user and select it.

  5. On the page, select Azure role assignments.

Contact your Azure Global administrator to get the role 'Owner' assigned. Once the role is assigned, re-run the module.

If you want to delete the AD application so that no roles and/or the policy assigned to it are unassigned, use the switch -withoutSubs.

Learn more about Azure RBAC

6. The error message below means that the user doesn't have the role 'Owner' to be able to assign the role 'Reader' to all or several of Reservation Order ID(s):

[2020-01-01 00:00:00] The Reservation Orders ID(s) where the user doesn't have the role 'Owner' (RBAC) assigned to be able to delete roles: ['00000000-0000-0000-0000-000000000000']
CODE


Steps to check and fix:

  1. Sign in to your Azure portal.

  2. On the left navigation panel, select All services.

  3. On the page in the All services search bar enter Reservations and choose it.

  4. Select the Reservation which you need and then select Reservation Order ID.

  5. On the left page choose Access control (IAM), click the button Role assignments.

  6. In the search users/apps bar enter the name of the current user.

Contact your Azure Global administrator to get the role 'Owner' assigned. Once the role is assigned, re-run the module.

If you want to delete the AD application so that no roles and/or the policy assigned to it are unassigned, use the switch -withoutSubs.

Learn more about Azure RBAC