From f554626be115ba74f45ee5d423990b6fc9b966e9 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <magarret@microsoft.com>
Date: Thu, 24 Aug 2023 14:57:22 -0700
Subject: [PATCH] Updated commands to properly remove Service Principal
 permissions and remove the SPN

---
 .github/workflows/azure-ipam-testing.yml | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/azure-ipam-testing.yml b/.github/workflows/azure-ipam-testing.yml
index cb9531b..599df21 100644
--- a/.github/workflows/azure-ipam-testing.yml
+++ b/.github/workflows/azure-ipam-testing.yml
@@ -182,19 +182,16 @@ jobs:
         shell: pwsh
         run: |
           $tenantId = (Get-AzContext).Tenant.Id
-          $scope = "/providers/Microsoft.Management/managementGroups/$TenantId"
+          $scope = "/providers/Microsoft.Management/managementGroups/$tenantId"
 
           $uiApp = Get-AzADApplication -ApplicationId ${{ needs.deploy.outputs.ipamUIAppId }}
           $engineApp = Get-AzADApplication -ApplicationId ${{ needs.deploy.outputs.ipamEngineAppId }}
-
-          Write-Host "-------------------------------"
-          Write-Host "Scope: $scope"
-          $engineApp | ConvertTo-Json
-          Write-Host "-------------------------------"
+          $engineSpn = Get-AzADServicePrincipal -ApplicationId ${{ needs.deploy.outputs.ipamEngineAppId }}
 
           Remove-AzResourceGroup -Name ${{ needs.deploy.outputs.ipamResourceGroup }} -Force
-          Remove-AzRoleAssignment -ObjectId $engineApp.Id -Scope $scope -RoleDefinitionName Reader
+          Remove-AzRoleAssignment -ObjectId $engineSpn.Id -Scope $scope -RoleDefinitionName Reader
 
+          $engineSpn | Remove-AzADServicePrincipal
           $uiApp | Remove-AzADApplication
           $engineApp | Remove-AzADApplication