If you’re migrating your Azure AD Password Protection Proxy agent to a new host, you will have found that no documentation exists to guide you through decommissioning the legacy agent without removing AAD Password Protection entirely.
To remove a single (or multiple) agents without decommissioning the entire service, see below:
- Uninstall the proxy agent software on the required servers using control panel.
- Connect to a domain controller or another machine which has the AD PowerShell module installed (or alternatively RSAT).
- From an elevated PowerShell session, run the below commands to generate a list of proxy service connection points (SCP):
$scp = "serviceConnectionPoint" $keywords = "{ebefb703-6113-413d-9167-9f8dd4d24468}*" Get-ADObject -SearchScope Subtree -Filter { objectClass -eq $scp -and keywords -like $keywords }
- From your list of SCP objects, locate the server you intend to remove and copy the ObjectGUID value.
- Run the below command, replacing “ObjectGUID” with your own value:
Remove-ADObject "ObjectGUID" -Confirm:$False
- Repeat step 4 and 5 if you’re removing more than 1 agent.
Closing tip – If you find any previously removed SCP objects have reappeared, you have probably missed step 1.
Thx!
Just what I needed to know when building new servers to host my password proxies. Thanks.