Udostępnij za pośrednictwem


Unable to Delete Azure Active Directory Application Registration

Introduction

This post is meant to go over the issue when the Azure Active Directory Application Registration delete button is grayed out. This issue could occur for a few reasons, and this document will go over the current known issues with Azure Active Directory Portal issues. This post will mainly go over the issues detailed in the v1.0 endpoint (portal.azure.com).

 

 

 

Context

Some users will find that they have many Azure Active Directory Application Registrations and will want to clean up the list of Registrations, which makes the user want to delete a few. They will run into not being able to delete the Application as the button is grayed out like in the picture below.

 

 

Resolution

The reason that you are unable to delete the AAD Application Registration is because of some properties in the AAD Application Registration or your account doesn't have the right permissions. I will first go over the properties for the possible issues with the AAD Application Registration.

 

 

AAD Application Registration Property Issues for Web App/APIs

If the AAD Application Registration has the multi-tenanted value checked, then the Application will not be able to be deleted. In order to resolve this issue please follow the highlighted steps in the picture below. Go to your AAD Application Registration, then go to Settings > Properties > Multi-Tenanted - Set to No. Then after saving and backing out of the Application Registration, go back into the registration and you will be able to delete the AAD Application Registration.

 

 

 

 

AAD Application Registration Property Issues for Native Applications

For users who have AAD Application Registrations that are registered as "Native" Applications, you will have to go into the manifest in order to remove the multi-tenanted setting. This can be found by following the steps in the picture below. Go to your AAD Application Registration, click on Manifest, and then set the availabletoothertenants value to false. Save the manifest and then go back in to the Azure Active Directory Application Registration, and you will be able to delete the Application Registration.

 

 

 

User Role Issues

Some Users will be unable to delete an Azure Active Directory Application Registration because they do not have the correct roles to delete the Application Registration. The roles can be found here : /en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles

That being said, the roles that have the action : microsoft.aad.directory/applications/delete listed in the "Actions" section are the roles that have the privilege to delete AAD Application Registrations in their respective tenant.

Currently as of 10-25-2018, the only two roles that have this are the Application Administrator and Cloud Application Administrator.

Note: You can also set a Service Principal to have an admin role following the guide here : https://blogs.msdn.microsoft.com/aaddevsup/2018/08/29/how-to-add-an-azure-ad-role-to-a-enterprise-application-service-principal/ if you are interested in deleting AAD Applications using a service principal.

 

 

 

Deleting Azure AD Application Using Powershell

You can also utilize Powershell in order to delete an AAD Application Registration. You will need to get the ObjectID from the AAD portal, or use powershell cmdlets to get the AAD Application ID. This link describes how to install the AAD V2.0 powershell in more detail : /en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0

First you will need to open up powershell in administrator mode.

 

 

 

 

 

Then you will need to install the AzureAD Module, as shown below.

If nothing shows up, you may have to press enter again to see the get provider prompt. Enter the letter Y or A on each prompt. Each prompt may require you to press enter again.

 

 

 

 

 

After agreeing to install the item, you will need to connect to Azure using connect-azureAD. Be sure to login to the correct tenant (best to use organization account) that has the application you are trying to delete. more about Connect-AzureAD can be found here : /en-us/powershell/module/azuread/connect-azuread?view=azureadps-2.0

 

 

 

 

 

Now go to the portal and get the object ID of the Azure AD Application Registration you are trying to delete, this can be shown in the picture below. I've highlighted the objectID and the multi-tenanted property to show this will work for apps that cannot be deleted in the portal. You can also use the cmdlet : get-azureadapplication, more on this is listed here :/en-us/powershell/module/azuread/get-azureadapplication?view=azureadps-2.0

 

 

 

 

 

 

Then You will be able to delete the AzureAD application using the Remove-AzureADApplication powershell cmdlet. More on the Remove-AzureADApplication cmdlet can be found here : /en-us/powershell/module/azuread/remove-azureadapplication?view=azureadps-2.0

 

For more information on the AAD V2.0 powershell cmdlets, please refer to the reference : /en-us/powershell/module/azuread/?view=azureadps-2.0

 

 

 

 

Conclusion

In this post we have gone over a few reasons why you may not be able to delete some or any Azure Active Directory Application Registrations.  We went over the different property settings and the user roles that have the rights to delete an Application Registration. If you have anymore issues, feel free to open a support ticket or comment below and one of our support engineers will reach out to you as soon as possible to resolve the issue.