How to: Remove a single Azure AD Password Protection Proxy agent

If you’re migrating your Azure AD Password Protection Proxy agent to a new host, you will have found that no documentation exists to guide you through decommissioning the legacy agent without removing AAD Password Protection entirely.

To remove a single (or multiple) agents without decommissioning the entire service, see below:

  1. Uninstall the proxy agent software on the required servers using control panel.
  2. Connect to a domain controller or another machine which has the AD PowerShell module installed (or alternatively RSAT).
  3. From an elevated PowerShell session, run the below commands to generate a list of proxy service connection points (SCP):
$scp = "serviceConnectionPoint"
$keywords = "{ebefb703-6113-413d-9167-9f8dd4d24468}*"
Get-ADObject -SearchScope Subtree -Filter { objectClass -eq $scp -and keywords -like $keywords }
  1. From your list of SCP objects, locate the server you intend to remove and copy the ObjectGUID value.
  1. Run the below command, replacing “ObjectGUID” with your own value:
Remove-ADObject "ObjectGUID" -Confirm:$False
  1. Repeat step 4 and 5 if you’re removing more than 1 agent.

Closing tip – If you find any previously removed SCP objects have reappeared, you have probably missed step 1.

1 thought on “How to: Remove a single Azure AD Password Protection Proxy agent”

Leave a comment