Entra/Azure AD: Cleanup

HYPR Control Center Standard: Integrations

Ensure Clean Tenant Prior to Adding Another Entra/Azure AD Integration

HYPR creates numerous artifacts on the Entra/Azure tenant; some are automated and some are manual.

  • Manual steps:
    • Setting up custom HYPRAuthApp
    • Setting up custom hyprserviceaccount
  • Automated steps
    • Creating and populating HYPR Group (Users Not Yet Enrolled)
    • Creating conditional access policy HYPR: Require MFA for Unenrolled Users
    • Performing resource owner password credential (ROPC) setup on HYPRAuthApp

Failure during Add Integration does not clean up or remove the changes from the automated steps above. If an integration failure occurs, you must ensure the automated components are removed before trying again.

All of the following process assume you are logged in to Azure AD with administrator rights.

Delete the HYPR Group

  1. Navigate to Groups and search for HYPR.
  2. If HYPR Group (Users Not Yet Enrolled) appears, select the check box next to it and click Delete.
  3. Refresh a few times to ensure changes took effect; Groups is notoriously slow to replicate.

Delete the Conditional Access Policy

  1. Navigate to Security > Conditional Access Policy.
  2. Search for HYPR.
  3. If HYPR: Require MFA for Unenrolled Users appears, select it.
  4. Once inside the policy, click Delete.

Delete HYPRAuthApp’s ROPC Configuration

  1. Launch PowerShell as administrator.
  2. Install AzureADPreview using the following command:
    Install-Module -Name AzureADPreview


Clobberin' Time

Due to known conflicts with Entra/Azure AD, you may need to run this command with additional parameters:

Install-Module AzureADPreview -Force -AllowClobber

If you still encounter problems, you must remove the Entra/Azure AD module entirely:

Remove-Module AzureAD

  1. Import the module:
    Import-Module AzureADPreview
  2. Connect to your tenant using the tenantid defined on HYPRAuthApp:
    PS C:\\WINDOWS\\system32> Connect-AzureAD -TenantId \<tenantid_defined_on_HYPR_AuthApp>
  3. Check for existing policies:


Feel the Power

We have seen challenges running these commands on PowerShell 7.x. Only when we leveraged 5.x version did this work, and then only on the 64-bit version.

  1. Look for the policy named EnableDirectAuthPolicy or EnableDirectAuthPolicyViaAPI of type HomeRealmDiscoveryPolicy. We need to confirm if this policy is associated with the HYPRAuthApp prior to deleting.
  2. Insert into the command below your clientId/applicationID. This will provide the ServicePrincipal ObjectId:
    PS C:\\Windows\\system32> Get-AzureADServicePrincipal -Filter "AppId eq 'dd53a2f4-7c95-4ff5-82d7-fd014931f59e'"
  3. Now run this command to ensure the HomeRealmDiscoveryPolicy is set to the HYPRAuthApp using the ID associated with the HomeRealmDiscoveryPolicy:
    Get-AzureADPolicyAppliedObject -id b7be5079-f40d-4a76-a206-efd76dfc5742
  4. Since this DID returned the ID of the HYPRAuthApp, we should delete it with the following command:
    Remove-AzureADPolicy -Id b7be5079-f40d-4a76-a206-efd76dfc5742
  5. Confirm it is gone now with this command: