Task 02 - Cleanup identities (service principals / federated credentials)

Introduction

As part of this training, you created credentials and access rights to support GitHub Actions authentication and authorization. It is critical for security and to prevent unauthorized access to remove these credentials as part of resource cleanup.

Description

In this task be guided through steps to remove service principals, role assignments, and federated credentials that were created for GitHub Actions authentication and authorization.

Success Criteria

• You have deleted all role assignments for service principals
• You have deleted all federated credentials
• You have deleted all service principals created for the lab
• You have deleted the application registration (if applicable)
• You have verified that no orphaned identities remain

Learning Resources

• Azure CLI Reference

Key Tasks

01: Find service principals

Identify the service principals that were created during the lab.

Expand this section for detailed steps

1. Run the following commands to list service principals:

    # List all service principals with "github" in the name
    az ad sp list --filter "startswith(displayName, 'github')" --output table
   
    # List all service principals (more comprehensive)
    az ad sp list --query "[?contains(displayName, 'github') || contains(displayName, 'zava')]" --output table
   
    # Get specific service principal details
    az ad sp show --id <service-principal-id> --output table
   

02: Remove role assignments

Remove all role assignments before deleting the service principal.

Expand this section for detailed steps

1. Get the service principal object ID:

    $spName = "github-actions-sp"  # or your custom name
    $spId = (az ad sp list --display-name $spName --query "[0].id" -o tsv)
   

2. List all role assignments for the service principal:

    az role assignment list --assignee $spId --output table
   

3. Remove role assignments (repeat for each assignment):

    az role assignment delete `
      --assignee $spId `
      --role "Contributor" `
      --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>"
   
    az role assignment delete `
      --assignee $spId `
      --role "AcrPush" `
      --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.ContainerRegistry/registries/<acr-name>"
   
    az role assignment delete `
      --assignee $spId `
      --role "Log Analytics Reader" `
      --scope "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.OperationalInsights/workspaces/<workspace-name>"
   

4. Alternatively, remove all role assignments at once:

    az role assignment list --assignee $spId --query "[].{Name:name, Role:roleDefinitionName, Scope:scope}" --output table | ForEach-Object {
      az role assignment delete --assignee $spId --role $_.Role --scope $_.Scope
    }
   

03: Remove federated credentials

Remove federated credentials (OIDC) if you used them instead of service principal secrets.

Expand this section for detailed steps

1. Get the service principal application ID:

    $appId = (az ad sp list --display-name "github-actions-sp" --query "[0].appId" -o tsv)
   

2. List federated credentials:

    az ad app federated-credential list --id $appId --output table
   

3. Delete each federated credential:

    az ad app federated-credential delete `
      --id $appId `
      --federated-credential-id <credential-id>
   

04: Delete the service principal

Delete the service principal after removing all role assignments and federated credentials.

Expand this section for detailed steps

Delete with direct commands

1. Run one of these commands to delete the service principal:

    # Delete the service principal by display name
    az ad sp delete --id "github-actions-sp"
   
    # OR, delete by application ID
    az ad sp delete --id <application-id>
   

2. Verify deletion:

    # Verify deletion
    az ad sp show --id "github-actions-sp"
    # This should return an error if successfully deleted
   

Delete via application registration

1. List applications:

    az ad app list --filter "startswith(displayName, 'github')" --output table
   

2. Get application ID:

    $appId = (az ad app list --filter "displayName eq 'github-actions-sp'" --query "[0].appId" -o tsv)
   

3. Delete the application (this also deletes the service principal):

    az ad app delete --id $appId
   

4. Verify deletion:

    # Verify deletion
    az ad app show --id $appId
    # This should return an error if successfully deleted
   

05: Verify that all identities have been deleted

Verify that all identities have been deleted.

Expand this section for detailed steps

1. Run the following commands to verify deletion:

    # Verify no service principals remain
    az ad sp list --filter "startswith(displayName, 'github')" --output table
   
    # Verify no applications remain
    az ad app list --filter "startswith(displayName, 'github')" --output table
   
    # Verify no role assignments remain (should return empty)
    az role assignment list --all --output table | Select-String "github"
   

Summary

You’ve completed this task. You have deleted all role assignments for service principals, deleted all federated credentials, deleted all service principals created for the lab, and verified that no orphaned identities remain.