Let’s try to remove Azure AD Apps from SCCM console using WMI (WBEMTEST). I have received a comment in the post where I explained how to Renew Secret Keys Using SCCM Console.
Luca mentioned in the comment that When he tried to renew the secret key for two apps, he got an error “Failed to renew the secret key for AAD server application. Failed to get server app.” This is because he already deleted these apps from Azure.
He wanted to know how to delete or remove Azure AD Apps from SCCM Console. These Azure AD apps are created to have the token authentication between various ConfigMgr Azure services and Azure AD.
You can configure many Azure Services from the SCCM console. I have already had a step-by-step guide to configure Tenant Attach, Microsoft Store for Business, Desktop Analytics, etc. Now, the configuration and setup are OK. How to remove these Azure AD applications from the console?
You will also need to ensure that these SCCM related AAD applications are removed from Azure AD from Enterprise applications | All applications (Preview). Some of the
- Renew Secret Keys Using SCCM Console | Configuration Manager
- SCCM Setup Co-Management CMG Azure Cloud Services
- ConfigMgr Setup Co-Management CMG Azure Cloud Services
- https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AppAppsPreview/
Azure AD Apps in SCCM Console
All these Azure AD apps that you see in the SCCM console integrate the Azure Cloud Services with ConfigMgr (aka MEMCM). Two (2) types of Azure AD apps are available in SCCM. The Azure AD Client and Server apps.
You can check the available apps from the following location in the SCCM console –\Administration\Overview\Cloud Services\Azure Active Directory Tenants
NOTE! – You can’t directly delete the Azure AD server and client apps directly from Azure Active Directory Tenants.
Remove Cloud Services to Delete Azure AD Apps – Desktop Analytics
I tried to Remove Cloud Services to Delete Azure AD Apps from SCCM console. As you can see below, I tried to delete Desktop Analytics, but it didn’t delete the applications from the Azure AD Tenants node.
- Navigate to \Administration\Overview\Cloud Services\Azure Services.
- Click on Desktop Analytics and Click on DELETE option from the Ribbon menu.
Click on Yes from the popup warning window to complete the Desktop Analytics cloud service deletion from SCCM.
Are you sure you want to delete the Desktop Analytics connection from this site? Deleting the connection stops the synchronization of devices, collections, deployment plans, and device readiness states. Desktop analytics won’t contain information about your devices or your deployments plans.
Remove Microsoft Store for Business Cloud Service from SCCM
I have shown in the below screenshot that how to Remove Microsoft Store for Business Cloud Service from SCCM. The following posts will help you understand how to set up the MSfB cloud services.
- How to Deploy Microsoft Store for Business Apps using Intune Endpoint Manager
- SCCM Sync with MSfB Microsoft Store for Business | ConfigMgr
You can navigate to \Administration\Overview\Cloud Services\Azure Services. From the services, select the one for Microsoft Store for Business (MSfB) and click on the Delete button from the Ribbon.
NOTE! – Microsoft announced that Microsoft Store for Business will be retired. So this feature won’t be available after the 2022 Nov release of SCCM. Intune co-management is the only option to get Microsoft Store for Business.
Remove Azure AD Apps from SCCM Console
You can remove Azure AD Apps from SCCM Console using the following method. But I don’t think you can remove or delete the Azure AD Apps from the SCCM console Azure Active Directory Tenants – applications.
As shown in the below screenshot, you only have the option to delete the Azure AD tenant. However, you don’t have the option to delete the Azure AD apps for SCCM could services.
I tried to delete the apps from \Administration\Overview\Cloud Services\Azure Active Directory Tenants. But it didn’t work as expected.
Use WMI Explorer to Find WMI Query for Azure AD Apps
I didn’t get any option to remove Azure AD Apps from SCCM Console. I ensured that the Azure Active Directory application was removed from Azure AD and available only in the SCCM console. You can use WMI Explorer to Find WMI Query for Azure AD Apps that you want to delete or remove from the SCCM console.
You can use the following link to search for Azure Apps from the Azure portal (you should have administrative permission to complete this action)
https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AppAppsPreview/
For example, I want to delete MEMCM_Client client apps from the SCCM console. But I didn’t have any option to delete the individual Azure AD application. Hence I’m forced to delete this Azure AD app using WMI. I used the WMI Explorer tool to find the correct entries for Azure AD apps used with the ConfigMgr Cloud services.
- Launch WMI Explorer Tool.
- If you are using the WMIExplorer from Primay server click on Connect button. If not, you will need to provide the hostname of the primary server where SMS provider is installed.
- Double Click on the Namespace – ROOT\SMS\site_MEM.
- Double Click on the Class called SMS_AAD_Application.
- Select the SMS_AAD_Application_ExID=16777218 to find the details of client app called MEMCM_Client available in the admin console.
NOTE! – You can check the instance’s properties for the MEMCM_Client Azure AD app from the SCCM console.
WBEMTest to Remove Azure AD Apps from SCCM using WMI
Now, you can use WBEMTest to delete the instance of the Azure AD apps from WMI. Once the WMI instance is removed, the Azure AD app (MEMCM_Client) from the console will get removed automatically. Copy the WMI query from WMI Explorer, which will be used in the below section.
SELECT * FROM SMS_AAD_Application_Ex WHERE ID=16777218
You can now launch the WBEMTEST from the Run command menu. You can connect to the same WMI namespace we used in the above section.
- Open WBEMTEST from run.
- Connect Root\SMS\site_MEM.
- Click on Query button.
- Use the above query and click on Apply button.
- You will need to use the unique SMS_AAD_Application_Ex ID for Azure AD app using WMI explorer as explained above
- Select the Azure AD app instance that you want to delete.
- Click on Delete button to remove the Azure AD App from WMI and SCCM console as well.
NOTE! – Make sure you delete the correct Azure AD app. Otherwise, this would create some issues and could impact SCCM Cloud services.
Conclusion
In this section, you can check the overall experience of the Azure AD App deletion experience for SCCM admins. The process is not simple to delete the Azure AD apps from the SCCM console. It was surprising that even deleting the Cloud Services (Desktop Analytics in the above example) from the console didn’t help remove the Azure AD apps.
I could figure out the only way to use WBEMTest to delete the Azure AD apps from the SCCM console. This is not an easy process to follow. Let me know in the comments if you find any better way to achieve this.
You can now check the following location in the SCCM admin console to confirm the MEMCM_Client app got removed.
You can check the available apps from the following location in the SCCM console –\Administration\Overview\Cloud Services\Azure Active Directory Tenants
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc……………
SQL way of doing the same thing.
blog.hametbenoit.info/2021/12/09/sccm-unable-to-delete-azure-ad-applications-configured-in-sccm
Thanks for posting this! Unfortunately I deleted the wmi entry for our co management configuration. Any tips to get a deleted entry back?