Removing Azure pack User from subscription and removing VM Cloud resource provider from Azure pack

I have been having issues with my Azure pack plans and subscription. Testing user was not able unsubscribe from VM Cloud Plan.

I was getting following errors:

No Virtual Machine Cloud provider was found. Ensure that at least one VMM management server is available through the Service Provider Foundation endpoint.

Rest client received unsucessful response message with status code ‚404‘ and body ‚{„Code“:“ResourceProviderNotFound“,“Message“:“Resource provider is not found.“,“Details“:[]}‘.

Could not connect to Resource Provider. Error: Resource not found.

Testing Account was stucked in deletion phase.

In order to solve this, I tried to remove user from subscription.

First check this: https://technet.microsoft.com/en-us/library/dn554318.aspx

As my Azure pack deployment use ADFS authentication, first I had to connect to ADMIN API via following script:

function Get-AdfsToken([string]$adfsAddress, [PSCredential]$credential)
{
$clientRealm = ‚http://azureservices/AdminSite‘
$allowSelfSignCertificates = $true
Add-Type -AssemblyName ‚System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089‘
Add-Type -AssemblyName ‚System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089‘
$identityProviderEndpoint = New-Object -TypeName System.ServiceModel.EndpointAddress -ArgumentList ($adfsAddress + ‚/adfs/services/trust/13/usernamemixed‘)
$identityProviderBinding = New-Object -TypeName System.ServiceModel.WS2007HttpBinding -ArgumentList ([System.ServiceModel.SecurityMode]::TransportWithMessageCredential)
$identityProviderBinding.Security.Message.EstablishSecurityContext = $false
$identityProviderBinding.Security.Message.ClientCredentialType = ‚UserName‘
$identityProviderBinding.Security.Transport.ClientCredentialType = ‚None‘
$trustChannelFactory = New-Object -TypeName System.ServiceModel.Security.WSTrustChannelFactory -ArgumentList $identityProviderBinding, $identityProviderEndpoint
$trustChannelFactory.TrustVersion = [System.ServiceModel.Security.TrustVersion]::WSTrust13
if ($allowSelfSignCertificates)
{
$certificateAuthentication = New-Object -TypeName System.ServiceModel.Security.X509ServiceCertificateAuthentication
$certificateAuthentication.CertificateValidationMode = ‚None‘
$trustChannelFactory.Credentials.ServiceCertificate.SslCertificateAuthentication = $certificateAuthentication
}
$ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($credential.Password)
$password = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($ptr)
[System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($ptr)
$trustChannelFactory.Credentials.SupportInteractive = $false
$trustChannelFactory.Credentials.UserName.UserName = $credential.UserName
$trustChannelFactory.Credentials.UserName.Password = $password #$credential.Password
$rst = New-Object -TypeName System.IdentityModel.Protocols.WSTrust.RequestSecurityToken -ArgumentList ([System.IdentityModel.Protocols.WSTrust.RequestTypes]::Issue)
$rst.AppliesTo = New-Object -TypeName System.IdentityModel.Protocols.WSTrust.EndpointReference -ArgumentList $clientRealm
$rst.TokenType = ‚urn:ietf:params:oauth:token-type:jwt‘
$rst.KeyType = [System.IdentityModel.Protocols.WSTrust.KeyTypes]::Bearer
$rstr = New-Object -TypeName System.IdentityModel.Protocols.WSTrust.RequestSecurityTokenResponse
$channel = $trustChannelFactory.CreateChannel()
$token = $channel.Issue($rst, [ref] $rstr)
$tokenString = ([System.IdentityModel.Tokens.GenericXmlSecurityToken]$token).TokenXml.InnerText;
$result = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($tokenString))
return $result
}

This gave me token, now edit your settings:

$adfsAddress = ‚https://adfs.mydomain.com
$username = ‚domain\administrator‘
$password = ‚password‘
$adminuri = ‘https://localhost:30004’
$securePassword = ConvertTo-SecureString -String $password -AsPlainText -Force
$credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username,$securePassword

$emailAddress = ‚tenantuser@domain.com‘
$FQDN = ‘https://manage.domain.com’

$token = Get-AdfsToken -adfsAddress $adfsAddress -credential $credential

Check if token is there:
$token

Removing user from subscription

Following will remove user tenantuser@domain.com from subscription 2282627b-811c-4d11-9110-0020506bd042

 Get-MgmtSvcSubscription  $adminuri $token -UserName $emailAddress -First 1 –DisableCertificateValidation

 

Paste subscription ID

$subscription = ‘2282627b-811c-4d11-9110-0020506bd042’$subscription = Get-MgmtSvcSubscription  $adminuri $token -UserName $emailAddress -First 1 -DisableCertificateValidationRemove-MgmtSvcSubscription  $adminuri $token -SubscriptionId $subscription.subscriptionId  -Force -DisableCertificateValidation -Confirm:$false

Removing the VM Cloud resource provider in WAP with MgmtSvC-cmdlets

Removing faulting user from subscription did not help, so I continued and removed the VM Cloud resource provider in WAP with MgmtSvC-cmdlets

Get-MgmtSvcResourceProvider -AdminUri $adminuri -Token $Token -DisableCertificateValidation -name „systemcenter“

 

Remove-MgmtSvcResourceProvider -AdminUri $adminuri -Token $Token -DisableCertificateValidation -Name „systemcenter“ -InstanceId “ B31F0A31-8137-4EB0-AB26-C3409E805274″

Removing the mapping in SPF

Now I had to remove mapping from SPF. In order to do that, run following powershell commands on SPF server.

Get-SCSPFServer

Get-SCSPFServer –Name “vmmservername.domain” | Remove-SCSPFServer

After all above, I reconnected Azurepack to SPF and recreated my VM Cloud Plan.