How To Remove Azure Accounts (Cached Credentials) From PowerShell Remove-AzureAccount for ALL Accounts Step-By-Step
Have you ever noticed that sometimes PowerShell gets confused regarding accounts? I have many Azure Accounts and many subscriptions so it happens to me all the time. When you change from one Account to another and set the subscription for the prior account it does not perform as expected. As an example, when you run Get-AzureVM, it shows VM’s from the prior account that you were using. You can fix this by running Set-AzureSubscription with a bunch of parameters such as:
Set-AzureSubscription -SubscriptionName ContosotTest -Certificate $myCert -SubscriptionID 12345
The problem with this method is it is too much work. I have opted to take a different approach. For a while now, I have been removing the Azure account and then just re-adding in the account that I want to work with. Let’s dive a bit deeper into the reasons why then I will show you how to do it.
In my world, I do not tend to switch accounts many times a day. If I did, I would likely just figure out what the proper Set-AzureSubscription command was for all my accounts, put it in a .PS1 file, open and run as needed. Instead, I tend to work on projects for weeks at a time and rarely switch accounts mid project. Even if I do, it is not a big deal, because I can reconnect very easily by just running a PoweShell script. What is an AzureAccount to PowerShell anyway? Well, think of the AzureAccount in PowerShell as the Cached Credentials for authentication. You can authenticate with a username and password (see below) and get a token, or you can authenticate with a certificate and get a certificate that is stored locally in your profile. I am a fan of certificates. Though it is best practice to delete certificates after you apply them to your system, I keep them around on an encrypted volume for easy re-import. If you do opt to delete them and just re-download when you need them, you should periodically login to Azure and remove the old certificates. There is a limit to the number of certificates you can have linked to an account. it is a big number perhaps 250? If you download a new certificate frequently, you may eventually hit that maximum.
When you have many cached credentials, PowerShell sometimes gets confused. All we have to do is delete all the cached credentials. I have seen many people try to do something with their Azure account and it tells them they do not have rights or something like that. As it turns out it is because they had these cached credentials from years earlier and the MSDN or Trial account they used is no longer valid. It is better in this case, to get rid of those cached credentials anyway to get things cleaned up.
Now for the hard part (just kidding), how to get rid of these cached credentials?
You can do it manually (via PowerShell) by running:
Get-AzureAccount |format-Table ID
This will will give you output that looks something like the following:
PS C:\> get-azureAccount | format-table id
Id
–
dstolts@live.com
786115DFD16C8DDB8832D20AB33F0152C1B0BDEC
The important thing to note is that there are two ID’s One is a token (the email address) and one is a certificate. I could run the Remove-AzureAccount and type in the ID as a parameter which would look something like:
Remove-AzureAccount 786115DFD16C8DDB8832D20AB33F0152C1B0BDEC
Then I could do the same for the other, all my credentials would be removed and I could re-run the Add-AzureAccount or Get-PublishSettingsFile to create a new cached credential. The first few times I did this, I noticed I had 6 accounts and I did each one. it really got to be a pain. So now, for the shortcut, removing All accounts with a single short command.
Get-AzureAccount | ForEach-Object { Remove-AzureAccount $_.ID -Force }
Now what is this command doing? Well yes, it WILL remove all cached credentials for the current user in PowerShell. Let’s look at each segment for an explanation
- get-AzureAccount gets a list of AzureAccount for the current user and displays them
- The pipe | says use the first command as input for the next
- The ForEach-Object{} says execute what is inside the brackets for each object in the set. The objects in the set in my case are the two accounts. If I have 6, 8 10 or whatever, it would loop through however many are there and perform the task that is inside the braces.
- Inside the braces is the command Remove-AzureAccount which expects a parameter of the ID.
- We used the $_.ID which will pass the ID for each element in the for loop ($_ represents the “current” element of the object that was passed (get-AzureAccount).
- finally, there is a –Force parameter. This is applied as a parameter to the Remove-AzureAccount which basically tells PowerShell to automatically accept any confirmation prompts. If you want to be prompted for each account that it will remove, just remove the –Force part of the statement.
After running the command, all of your cached credentials will be removed and your system will be clean and unconfused
You then just need to Add in the cached credentials of the account you want to use.
Authenticate PowerShell to Azure:
This is kind-of like telling PowerShell how to login to Azure, and save the cached credential. There are two was to authenticate PowerShell to Azure.
- Username and Password: to authenticate type the command:
Add-AzureAccount
this will pop open a web browser and ask for you to login. Enter your azure login information. Once complete you PowerShell session will be connected to your Azure account. - Computer Certificate Authentication: I am a fan of using certificates, to authenticate. To do this you have to download the certificate from Azure then import it. The Following commands are needed:
- Get-AzurePublishSettingsFile
This will open a browser, connect to Azure and prompt you to save the certificate. Once complete, run the next command. - Import-AzurePublishSettingsFile –PublishSettingsFile “<FileLocationPath\FileName.publishsettings>”
Replace the value in quotes above with your actual filename and path.
- If you previously ran Add-AzureAccount and now want to use the certificate, go ahead and import the certificate, then run
Remove-AzureAccount
PowerShell is smart enough to know when you run Remove-AzureAccount and you have an authentication certificate and a token (from add-AzureAccount) for the same account, that you want to remove the token.
I hope this helps!!!! Please let me know (in the comments) what you think