Automating cleanup Entra Joined AVD hosts

This post is about automating the cleanup for Entra Joined Azure Virtual Desktop (AVD) hosts.

So, what is the problem? The problem is that when you frequently deploy Entra Joined AVD hosts, they are only Entra Joined, and they already exist Entra/Intune. You get this error when running the bicep template:

Automating cleanup Entra Joined AVD Hosts - error message

That error is because of the devices already existing in Entra:

After that, you must manually clean Entra & Intune and redeploy your bicep template. Not a good time, right? So, you can clean this up manually every time but doing something twice is one time too many. I wrote a Powershell script that uses Service Principal Authentication to grab the sessionhosts from the hostpool, remove them, and remove the resources. After that, using the same Service Principal, logging in to Microsoft Graph, remove the sessionhosts from Entra and after that from Intune.

You can even integrate this script into your Azure DevOps pipeline (maybe I will write a part 2 that does that)

Note: This is not a problem when you are using Active Directory joined AVD hosts. These computer accounts can be reinstated when you re-run the deployment. In that scenario, this is not an issue.


Firstly, we need a Service Principal with permission to remove the sessionhosts from the AVD hostpool and delete resources. After that, you need to give the service principal Graph API permissions:

Yes, the permissions are quite extensive. Please make sure you use the correct variables in the script and test it in a test environment first.

After that, you need to create a secret that is used in the script to authenticate. Yes, a certificate would be better. You need to change the authentication in the script if you want to use that.

Or even better would be the federated credential option within Azure DevOps. Like I said before in the post, maybe I will write a part 2 where this all comes together.

The script checks for modules that need to be installed. It is only needed for the Azure part. That is where I use custom modules and modules from Microsoft. I especially want to call out Sander Rozemuller’s module called az.avd. It is awesome, check it out here.

The cleanup script

You can find the script in my GitHub repository.

Link to script

Please fill in the variables:

Note: This script will remove every sessionhost from your hostpool, the resources in Azure, the Entra ID computer accounts, and the Intune device objects. Use with caution!

After that, run the script. This is output:

Firstly, this is the AVD part, you need to enter your client secret:
After that, it removes the sessionhosts from the hostpool and removes the Azure resources:

The next part is the Graph API part:
Firstly, it removes the machines from Entra ID and after that from Intune:

This is an option for automating the Entra joined AVD hosts cleanup. I hope you can use this script to further automate your AVD deployment. Please let me know if you did.

Happy automating!

Other posts:

These are other posts about automation:
Use Bicep to add a new image version to the Azure Compute Gallery
Set Page file for Azure VM via custom script extension

2 thoughts on “Automating cleanup Entra Joined AVD hosts”

    • Hi Ryan,

      Thanks! It is just my lazyness. I had something laying around and combined with the other. A version with what you propose will be better. Will update the blog sometime.



Leave a Comment