Clean up non-corporate and unauthorized applications

# Clean up non-corporate and unauthorized applications # Introduction This document will walk you through the process of deleting apps via the portal and PowerShell. This will also include the app recovery process in case you accidentally delete 1. ## Prerequisites The user must fit one of the responsibilities listed below to begin cleaning the applications. - Global Administrator - Cloud Application Administrator - Application Administrator - Owner of the service principal ## Usage: The Azure Portal The process is very simple with the user interface. However, It is not possible to delete multiple applications at the same time via the portal. #### Go to Enterprise Applications The list of apps will be displayed. #### Pick the Application After listing the apps, the next step is to select one and delete it. #### Open the properties pane Simply navigate to properties on the left side to delete the app. When the pane is open, click the delete button. Perfect. ## Usage: PowerShell With PowerShell Miracles, you can quickly delete multiple apps with a script. Below, we will discuss some essential commands for gathering the necessary information, as well as the script that must be used to delete the AAD enterprise apps. ## Essentials Commands ### Enterprise Applications commands: - Login with the necessary permissions: `Connect-AzureAD` - Show all registered Enterprise Applications as well as their ObjectIds: `Get-AzureADServicePrincipal` ### Apps registrations Commands: - Login with the necessary permissions as an Azure RM Account: `Login-AzureRMAccount` - Obtain an inventory of all App Registrations: `Get-AzureRmADApplication` ## PowerShell Script The script below is a PowerShell function that will display a list of applications on your tenant and delete the ones you choose. ``` function Remove-AzureADApplications { [CmdletBinding()] param ( [Parameter(HelpMessage = "The service principal search string.")] [string] $SearchString = "", [Parameter(HelpMessage ="Forces the command to run without asking for user confirmation. This will remove all applications that match the filter criteria specified by the SearchString parameter. If the SearchString parameter is omitted, this will attempt to delete all application registrations without confirmation. Use with caution.")] [Switch] $Force ) Import-Module "AzureAD"; if ($SearchString) { $apps = (Get-AzureADApplication -SearchString $SearchString) } else { Write-Warning "No search string specified. Fetching all applications." $apps = (Get-AzureADApplication -All $true)} if($Force) { $selectedApps = $apps; } Else { $selectedApps = $apps | Out-GridView -Title "Please select applications to remove..." -OutputMode Multiple; } $selectedApps | ForEach-Object { $displayName = $_.DisplayName; $objectId = $_.ObjectId; try { Remove-AzureADApplication -ObjectId $objectId Write-Host "Removed $displayName..." -ForegroundColor Green; } catch { Write-Host "Failed to remove $displayName..." -ForegroundColor Red; }}} ``` ## Recover Apps Applications that are deleted will be kept in the suspended cycle for 30 days. You can recover the apps during this time. once the period has ended the deleted apps will never be recoverable. The good news is that if you accidentally deleted the wrong application. You should try to recover it as soon as possible. The entire recovery process will be handled by PowerShell. The link will be added to the reference section. To restore run the following command `Restore-AzureADMSDeletedDirectoryObject -Id 'd4142c52-179b-4d31-b5b9-08940873507b`