Home / server / Questions / 1161527
Accepted
Halfdone
Asked: 2024-06-26 02:05:51 +0800 CST

Removing final Exchange server, unable to follow Microsoft instructions

  • 772

I'm reviewing the process to remove the last Exchange server in an environment by following Microsoft's instructions at https://learn.microsoft.com/en-us/exchange/manage-hybrid-exchange-recipients-with-management-tools#permanently-shutting-down-your-last-exchange-server. Step 5 of "Permanently shutting down your last Exchange Server" is to remove the service principal credentials created for OAuth. It provides some PowerShell commands to determine and delete the credentials:

5a. Run these commands in the Exchange Management Shell to get the OAuth credValue:

$thumbprint = (Get-AuthConfig).CurrentCertificateThumbprint
$oAuthCert = (dir Cert:\LocalMachine\My) | where {$_.Thumbprint -match $thumbprint}
$certType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert
$certBytes = $oAuthCert.Export($certType)
$credValue = [System.Convert]::ToBase64String($certBytes)

5b. Find the KeyId that is same as the $credValue found above, run the following commands as a tenant admin using Microsoft Graph PowerShell.

Import-Module Microsoft.Graph.Applications
Connect-MgGraph -Scopes "Application.Read.All"
$ServiceName = "00000002-0000-0ff1-ce00-000000000000"
$p = Get-MgServicePrincipalByAppId -AppId $ServiceName
$keyId = (Get-MgServicePrincipal -ServicePrincipalId $p.Id).KeyCredentials $true | ?{$_.Value -eq $credValue}).KeyId

This gives the KeyId of the key whose value matches the $credValue found above.

5c. To remove the service principal credential, run the following command:

Import-Module Microsoft.Graph.Applications
$params = @{
  KeyId = $keyId
}
Remove-MgServicePrincipalKey -ServicePrincipalId $p.Id -BodyParameter $params

That last $keyId assignment in 5b is not a valid PowerShell command, there is a "$true" that is out of place and there is an extra ending parenthesis. It looks like the command got corrupted. Running Get-MgServicePrincipal manually does return a KeyCredentials object but I don't see a "Value" property that it appears to be looking for. This might just be because part of the command is missing.

Does anyone know how I can complete this step? Either thru working PowerShell or other method such as the M365 portal? Also would skipping this step also be ok, understanding it may leave crud behind?

powershell

1 Answers

  1. Best Answer

    I had the same issue as you and found this searching for an answer. Looking at the page in the wayback machine, the offending section used to read:

    Connect-MsolService 
$ServiceName = "00000002-0000-0ff1-ce00-000000000000" 
$p = Get-MsolServicePrincipal -ServicePrincipalName $ServiceName 
$keyId = (Get-MsolServicePrincipalCredential -AppPrincipalId $p.AppPrincipalId -ReturnKeyValues $true | ?{$_.Value -eq $credValue}).KeyId
    • 2