Skip to main content

Entra ID Cleanup

Ensure Clean Tenant Prior to Adding Another Entra ID Integration

HYPR creates numerous artifacts on the Entra tenant; some are automated and some are manual. This will also vary according to which Entra ID integration you're configuring.

  • Manual steps:

    • Setting up the custom HYPR Entra application (e.g., HYPRAuthApp)

    • Setting up the custom service account (e.g., hyprserviceaccount) (only for HYPR Login Experience Integration)

  • Automated steps

    • Creating and populating HYPR Group (Users Not Yet Enrolled)

    • Creating conditional access policy HYPR: Require MFA for Unenrolled Users

    • Performing resource owner password credential (ROPC) setup on the Application (only for HYPR Login Experience Integration)

Failure during Add Integration does not clean up or remove the changes from the automated steps above. If an integration failure occurs, you must ensure the automated components are removed before trying again.

All of the following process assume you are logged in to Entra ID with administrator rights.

Delete the HYPR Group

  1. From the Entra ID portal home screen, select Groups > All groups and search for HYPR.

  2. If HYPR Group (Users Not Yet Enrolled) appears, select the check box next to it and click Delete.

  3. Refresh a few times to ensure changes took effect; Groups is notoriously slow to replicate.

Delete the Conditional Access Policy

  1. Navigate to Protection > Conditional Access Policy.

  2. Search for HYPR.

  3. If HYPR: Require MFA for Unenrolled Users appears, select it.

  4. Once inside the policy, click Delete.

Delete the HYPR Entra Application's Authentication Configuration

HYPR Native Login Experience only

This step only applies when cleaning up a HYPR Native Login Experience integration setup.

In order to perform this steps, you'll need Microsoft Entra PowerShell.

  1. Launch PowerShell as administrator.

  2. Follow the steps in Install the module to install Entra PowerShell. Depending on your PowerShell version, you can achieve this using the following command:

    Install-Module -Name Microsoft.Entra -Repository PSGallery -Scope CurrentUser -Force -AllowClobber

    You'll also need to install the Microsoft.Entra.Beta module using the following command:

    Install-Module -Name Microsoft.Entra.Beta -Repository PSGallery -Scope CurrentUser -Force -AllowClobber

  3. Import the modules:

    Import-Module Microsoft.Entra Import-Module Microsoft.Entra.Beta

  4. Connect to your tenant using the Tenant ID corresponding to your application:

    Connect-Entra -TenantId <Tenant ID>

  5. Check for existing policies:

    Get-EntraPolicy

  6. Look for the policy named EnableDirectAuthPolicy or EnableDirectAuthPolicyViaAPI of type HomeRealmDiscoveryPolicy. We need to confirm if this policy is associated with the HYPRAuthApp prior to deleting.

  7. Insert into the command below your Application ID. This will provide the pervice principal ObjectId:

    Get-EntraServicePrincipal -Filter "AppId eq '<Application ID>'"

  8. Now run this command to ensure the HomeRealmDiscoveryPolicy is set to the HYPRAuthApp using the ID associated with the HomeRealmDiscoveryPolicy:

    Get-EntraBetaPolicyAppliedObject -id <Object ID>

  9. In the case that this returns the ID of the HYPRAuthApp apploication, we should delete it with the following command:

    Remove-EntraPolicy -Id <Policy ID>

  10. Confirm it is gone now with this command:

Get-EntraPolicy