
# Contributors:
# Chad Schultz
# PowerShell module to List on and delete unused Azure resources and save money.
# This Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. We grant You a nonexclusive, royalty-free right to use and modify the Sample Code and to reproduce and distribute the object code form of the Sample Code, provided that You agree: (i) to not use Our name, logo, or trademarks to market Your software product in which the Sample Code is embedded; (ii) to include a valid copyright notice on Your software product in which the Sample Code is embedded; and (iii) to indemnify, hold harmless, and defend Us and Our suppliers from and against any claims or lawsuits, including attorneys’ fees, that arise or result from the use or distribution of the Sample Code.

# Class to hold alert resource groups and names as script has to get RGs from different command let than alert.
Class MyRGandName
function global:Get-AzSMUnusedNICs {
        Lists unused NICs in a subscription.
        Lists unused NICs in a subscription.
    .PARAMETER SubscriptionID
        Azure subscription ID in the format, 00000000-0000-0000-0000-000000000000
        Get-AzSMUnusedNICs -Subscription 00000000-0000-0000-0000-000000000000
        Get a list of unused network interfaces in a subscription.
        Get-AzSMUnusedNICs -Subscription 00000000-0000-0000-0000-000000000000 | Remove-AzureRmNetworkInterface
        Remove unused network interfaces in a subscription with confirmation.
        * CAN be piped to Remove-AzureRmNetworkInterface.


        [Parameter(Mandatory=$true)][string] $SubscriptionID

    Select-AzureRmSubscription -Subscription $SubscriptionID|Out-Null|Out-Null
    Write-Debug "Subscription: $SubscriptionID"

    Return $nics
function global:Get-AzSMUnusedNSGs {

        Lists unused NSGs in a subscription.
        Lists unused NSGs in a subscription.
    .PARAMETER SubscriptionID
        Azure subscription ID in the format, 00000000-0000-0000-0000-000000000000
        Get-AzSMUnusedNSGs -Subscription 00000000-0000-0000-0000-000000000000
        Get a list of unused network security groups in a subscription.
        Get-AzSMUnusedNSGs -Subscription 00000000-0000-0000-0000-000000000000 | Remove-AzureRmNetworkSecurityGroup
        Remove unused network security groups in a subscription.
        *CAN be piped to Remove-AzureRmNetworkSecurityGroup.


        [Parameter(Mandatory=$true)][string] $SubscriptionID

    Select-AzureRmSubscription -Subscription $SubscriptionID|Out-Null
    Write-Debug "Subscription: $SubscriptionID"

    Return $nsg
function global:Get-AzSMUnusedPIPs {

        Lists unused Public IPs in a subscription.
        Lists unused Public IPs in a subscription.
    .PARAMETER SubscriptionID
        Azure subscription ID in the format, 00000000-0000-0000-0000-000000000000
        Get-AzSMUnusedPIPs -Subscription 00000000-0000-0000-0000-000000000000
        Gets a list of unused public IP addresses in a subscription.
        Get-AzSMUnusedPIPs -Subscription 00000000-0000-0000-0000-000000000000 | Remove-AzureRmPublicIpAddress
        Remove unused public IP addresses in a subscription.
        *CAN be piped to Remove-AzureRmPublicIpAddress.


        [Parameter(Mandatory=$true)][string] $SubscriptionID

    Select-AzureRmSubscription -Subscription $SubscriptionID|Out-Null
    Write-Debug "Subscription: $SubscriptionID"

    Return $pip
function global:Get-AzSMDisabledAlerts {

        Lists disabled "classic" alerts in a subscription.
        Lists disabled "classic" alerts in a subscription.
    .PARAMETER SubscriptionID
        Azure subscription ID in the format, 00000000-0000-0000-0000-000000000000
        Get-AzSMDisabledAlerts -Subscription 00000000-0000-0000-0000-000000000000
        Get a list of disabled classic alerts in a subscription.
        *CANNOT be piped to Remove-AzureRmAlertRule.


        [Parameter(Mandatory=$true)][string] $SubscriptionID

    Select-AzureRmSubscription -Subscription $SubscriptionID|Out-Null
    Write-Debug "Subscription: $SubscriptionID"

    $alerts = New-Object System.Collections.ArrayList
    foreach ($r in $rgs)
        $a=Get-AzureRmAlertRule -ResourceGroupName $r.ResourceGroupName -WarningAction Ignore|Where-Object{$_.IsEnabled -eq $false}
        if ($a.IsEnabled -eq $false) {
            $al=New-Object MyRGandName
    Return $alerts
function global:Get-AzSMDisabledLogAlerts{

        List disabled Activity Log alerts in a subscription.
        List disabled Activity Log alerts in a subscription.
    .PARAMETER SubscriptionID
        Azure subscription ID in the format, 00000000-0000-0000-0000-000000000000
        Get-AzSMDisabledLogAlerts -Subscription 00000000-0000-0000-0000-000000000000
        Get a list of disabled Activity Log alerts in a subscription.
        *CANNOT be piped to Remove-AzureRmActivityLogAlert.


        [Parameter(Mandatory=$true)][string] $SubscriptionID

    Select-AzureRmSubscription -Subscription $SubscriptionID|Out-Null
    Write-Debug "Subscription: $SubscriptionID"

    $logalerts = New-Object System.Collections.ArrayList
    foreach ($r in $rg)
        $a=Get-AzureRmActivityLogAlert -ResourceGroupName $r.ResourceGroupName -WarningAction Ignore -ErrorAction Ignore|Where-Object{$_.Enabled -eq $false}

        if ($a.Enabled -eq $false){
            $al=New-Object MyRGandName
    Return $logalerts
function global:Get-AzSMEmptyResourceGroups {

        Lists empty resource groups in a subscription.
        Lists empty resource groups in a subscription.
    .PARAMETER SubscriptionID
        Azure subscription ID in the format, 00000000-0000-0000-0000-000000000000
        Get-AzSMEmptyResourceGroups -SubscriptionID 00000000-0000-0000-0000-000000000000
        Get a list of empty Resource Groups in a subscription.
        *CAN be piped to Remove-AzureRmResourceGroup.


        [Parameter(Mandatory=$true)][string] $SubscriptionID

    Select-AzureRmSubscription -Subscription $SubscriptionID|Out-Null
    Write-Debug "Subscription: $SubscriptionID"

    $emptyrgs = New-Object System.Collections.ArrayList

    $rgs|ForEach-Object {
        $rgd=Get-AzureRMResource -ResourceGroupName $_.ResourceGroupName -WarningAction SilentlyContinue -ErrorAction SilentlyContinue -ErrorVariable $rgerr
        if (!$rgd -and $rgerr -eq $null) {
    Return $emptyrgs
function global:Get-AzSMUnusedAlertActionGroups {

        Lists unused Alert Action Groups in a subscription.
        Lists unused Alert Action Groups in a subscription.
    .PARAMETER SubscriptionID
        Azure subscription ID in the format, 00000000-0000-0000-0000-000000000000
        Get-AzSMUnusedAlertActionGroups -SubscriptionID 00000000-0000-0000-0000-000000000000
        Get-AzSMUnusedAlertActionGroups -SubscriptionID 00000000-0000-0000-0000-000000000000 | Remove-AzureRmActionGroup -Confirm
        *CAN be piped to Remove-AzureRmActionGroup.


        [Parameter(Mandatory=$true)][string] $SubscriptionID

    Select-AzureRmSubscription -Subscription $SubscriptionID|Out-Null
    Write-Debug "Subscription: $SubscriptionID"

    $actiongroups2 = New-Object System.Collections.ArrayList
    foreach ($rg in $rgs) {
        $ags=Get-AzureRmResource -ResourceGroupName $rg.ResourceGroupName -ResourceType microsoft.insights/actionGroups
        foreach ($a in $ags) {
            $TempHoldActionGroup=New-Object MyRGandName
            if ($a.Name.Length -gt 0) {
    $actiongroups = New-Object System.Collections.ArrayList
    foreach ($rg in $rgs) {
        $ala=Get-AzureRmActivityLogAlert -ResourceGroupName $rg.ResourceGroupName -WarningAction SilentlyContinue -ErrorAction SilentlyContinue -ErrorVariable $alerr
        if ($ala -and $alerr.count -lt 1) {
            foreach ($a in $ala) {
                $TempHoldActionGroup=New-Object MyRGandName
                $TempHoldActionGroup.Name=$as.GetValue($as.Count -1)
    $unusedactiongroups=$actiongroups2|Where-Object{$actiongroups.Name -notcontains $_.Name}

    foreach ($alertactiongroup in $unusedactiongroups) {
        Get-AzureRmActionGroup -ResourceGroupName $alertactiongroup.RG -Name $alertactiongroup.Name
function global:Get-AzSMUnusedRouteTables {

        List unused route tables in a subscription.
        List unused route tables in a subscription.
    .PARAMETER SubscriptionID
        Azure subscription ID in the format, 00000000-0000-0000-0000-000000000000
        Get-AzSMUnusedRouteTables -SubscriptionID 00000000-0000-0000-0000-000000000000
        *CAN be piped to Remove-AzureRmRouteTable.


        [Parameter(Mandatory=$true)][string] $SubscriptionID

    Select-AzureRmSubscription -Subscription $SubscriptionID|Out-Null
    Write-Debug "Subscription: $SubscriptionID"

    $routelist = New-Object System.Collections.ArrayList
    $routes|ForEach-Object {
        if ($route.Subnets.Count -eq 0) {

    Return $routelist
function global:Get-AzSMVNetsWithoutSubnets {

        List VNets without any subnets defined in a subscription.
        List VNets without any subnets defined in a subscription.
    .PARAMETER SubscriptionID
        Azure subscription ID in the format, 00000000-0000-0000-0000-000000000000
        Get-AzSMVNetsWithoutSubnets -SubscriptionID 00000000-0000-0000-0000-000000000000
        *CAN be piped to Remove-AzureRmVirtualNetwork


        [Parameter(Mandatory=$true)][string] $SubscriptionID

    Select-AzureRmSubscription -Subscription $SubscriptionID|Out-Null
    Write-Debug "Subscription: $SubscriptionID"

    $emptysubnets=New-Object System.Collections.ArrayList
    foreach ($vnet in $vnets) {
        if ($vnet.Subnets.Count -eq 0) {
            #Write-Host "VNet without subnets defined found: " + $vnet.Name

    Return $emptysubnets
function global:Get-AzSMOldDeployments{

        List deployments older than 365 days in a subscription.
        List deployments older than 365 days in a subscription.
    .PARAMETER SubscriptionID
        Azure subscription ID in the format, 00000000-0000-0000-0000-000000000000
        Set to the number of days to scan back for old deployments.
        Default is 365 days old.
        Get-AzSMOldDeployments -SubscriptionID 00000000-0000-0000-0000-000000000000
        *CAN be piped to Remove-AzureRmResourceGroupDeployment.


        [Parameter(Mandatory=$true)][string] $SubscriptionID,
        [Parameter(Mandatory=$false)][int] $Days = 365

    Select-AzureRmSubscription -Subscription $SubscriptionID|Out-Null
    Write-Debug "Subscription: $SubscriptionID"

    $rgd=Get-AzureRMResourceGroup|Get-AzureRmResourceGroupDeployment|Where-Object{$_.Timestamp -lt (Get-Date).AddDays(-$Days)}
    Return $rgd
function global:Get-AzSMUnusedDisks {

        List unused managed disks in a subscription.
        List unused managed disks in a subscription.
    .PARAMETER SubscriptionID
        Azure subscription ID in the format, 00000000-0000-0000-0000-000000000000
        Get-AzSMUnusedDisks -SubscriptionID 00000000-0000-0000-0000-000000000000
        *CAN be piped to Remove-AzureRmDisk.


        [Parameter(Mandatory=$true)][string] $SubscriptionID

    Select-AzureRmSubscription -Subscription $SubscriptionID|Out-Null
    Write-Debug "Subscription: $SubscriptionID"

    $disks = Get-AzureRmDisk|Where-Object{$_.ManagedBy.Length -lt 1}

    Return $disks
function global:Get-AzSMEmptyAADGroups {

        List empty AAD groups in a tenant.
        List empty AAD groups in a tenant.
        Azure tenant ID in the format, 00000000-0000-0000-0000-000000000000
        Get-AzSMEmptyAADGroups -TenantID 00000000-0000-0000-0000-000000000000
        *It is not recommended to pipe command to remove AAD groups as there are built-in and synced groups that may have not members.


        [Parameter(Mandatory=$true)][string] $TenantID

    Connect-AzureAD -TenantId $TenantID
    Write-Debug "Tenant ID: $TenantID"

    $emptygroups=New-Object System.Collections.ArrayList
    Get-AzureADGroup|ForEach-Object {
        $aadgmem=Get-AzureADGroupMember -ObjectId $_.ObjectId
        if($aadgmem.Count -lt 1) {
    Return $emptygroups
function global:Get-AzSMDisabledLogicApps {

        List disabled Logic Apps in a subscription.
        List disabled Logic Apps in a subscription.
    .PARAMETER SubscriptionID
        Azure subscription ID in the format, 00000000-0000-0000-0000-000000000000
        Get-AzSMDisabledLogicApps -SubscriptionID 00000000-0000-0000-0000-000000000000
        *CANNOT be piped to Remove-AzureRmLogicApp.


        [Parameter(Mandatory=$true)][string] $SubscriptionID

    Select-AzureRmSubscription -Subscription $SubscriptionID|Out-Null
    Write-Debug "Subscription ID: $SubscriptionID"

    $disabledlapps = New-Object System.Collections.ArrayList
    Get-AzureRmResourceGroup|ForEach-Object {
        $lapps=Get-AzureRMResource -ResourceGroupName $_.ResourceGroupName -ResourceType "Microsoft.Logic/workflows"
        $lapps|ForEach-Object {
            $lapp=Get-AzureRmLogicApp -ResourceGroupName $_.ResourceGroupName -Name $_.Name|Where-Object{$_.State -eq "Disabled"}
    Return $disabledlapps
function global:Get-AzSMOldSnapshots{

        List snapshots older than 365 days in a subscription.
        List snapshots older than 365 days in a subscription.
    .PARAMETER SubscriptionID
        Azure subscription ID in the format, 00000000-0000-0000-0000-000000000000
        Set to the number of days to scan back for old deployments.
        Default is 365 days old.
        Get-AzSMOldSnapshots -SubscriptionID 00000000-0000-0000-0000-000000000000
        *CAN be piped to Remove-AzureRmSnapshot.


        [Parameter(Mandatory=$true)][string] $SubscriptionID,
        [Parameter(Mandatory=$false)][int] $Days = 365

    Select-AzureRmSubscription -Subscription $SubscriptionID|Out-Null
    Write-Debug "Subscription ID: $SubscriptionID"

    $snap=Get-AzureRmSnapshot|Where-Object{$_.TimeCreated -lt (Get-Date).AddDays(-$Days)}
    Return $snap
function global:Get-AzSMIlbNoBackendPool {

        List Internal load balancers that have no backend pool in a subscription.
        List Internal load balancers that have no backend pool in a subscription.
    .PARAMETER SubscriptionID
        Azure subscription ID in the format, 00000000-0000-0000-0000-000000000000
        Get-AzSMIlbNoBackendPool -SubscriptionID 00000000-0000-0000-0000-000000000000
        *CAN be piped to Remove-AzureRmLoadBalancer.


        [Parameter(Mandatory=$true)][string] $SubscriptionID

    Select-AzureRmSubscription -Subscription $SubscriptionID|Out-Null
    Write-Debug "Subscription ID: $SubscriptionID"

    $ilbsnopool=Get-AzureRmLoadBalancer|Where-Object{$_.BackendAddressPools.Count -lt 1}

    Return $ilbsnopool
function global:Get-AzSMDisabledTrafficManagerProfiles {

        List disabled TrafficManager Profiles in a subscription.
        List disabled TrafficManager Profiles in a subscription.
    .PARAMETER SubscriptionID
        Azure subscription ID in the format, 00000000-0000-0000-0000-000000000000
        Get-AzSMDisabledTrafficManagerProfiles -SubscriptionID 00000000-0000-0000-0000-000000000000
        *CAN be piped to Remove-AzureRmTrafficManagerProfile.


        [Parameter(Mandatory=$true)][string] $SubscriptionID

    Select-AzureRmSubscription -Subscription $SubscriptionID|Out-Null
    Write-Debug "Subscription ID: $SubscriptionID"

    $dtmpro=Get-AzureRmTrafficManagerProfile|Where-Object{$_.ProfileStatus -eq "Disabled"}

    Return $dtmpro
function global:Get-AzSMTrafficManagerProfilesWithNoEndpoints {

        List TrafficManager Profiles without endpoints in a subscription.
        List TrafficManager Profiles without endpoints in a subscription.
    .PARAMETER SubscriptionID
        Azure subscription ID in the format, 00000000-0000-0000-0000-000000000000
        Get-AzSMTrafficManagerProfilesWithNoEndpoints -SubscriptionID 00000000-0000-0000-0000-000000000000
        *CAN be piped to Remove-AzureRmTrafficManagerProfile.


        [Parameter(Mandatory=$true)][string] $SubscriptionID

    Select-AzureRmSubscription -Subscription $SubscriptionID|Out-Null
    Write-Debug "Subscription ID: $SubscriptionID"

    $dtmpro=Get-AzureRmTrafficManagerProfile|Where-Object{$_.Endpoints.Count -lt 1}

    Return $dtmpro

function global:Get-AzSMOldNetworkCaptures {

        List old Network Watcher packet captures in a subscription.
        List old Network Watcher packet captures in a subscription.
    .PARAMETER SubscriptionID
        Azure subscription ID in the format, 00000000-0000-0000-0000-000000000000
        Set to the number of days to scan back for old captures.
        Default is 7 days old.
        Get-AzSMOldNetworkCaptures -SubscriptionID 00000000-0000-0000-0000-000000000000 -Days 31
        Get Network Watcher packet captures ran more than 31 days ago.
        *CANNOT be piped to Remove-AzureRmNetworkWatcherPacketCapture.
        Does not return the .cap files that may be saved in storage.


        [Parameter(Mandatory=$true)][string] $SubscriptionID,
        [Parameter(Mandatory=$false)][int] $Days = 7

    Select-AzureRmSubscription -Subscription $SubscriptionID|Out-Null
    Write-Debug "Subscription ID: $SubscriptionID"

    $oldcaptures=Get-AzureRmNetworkWatcher|Get-AzureRmNetworkWatcherPacketCapture|Where-Object{$_.PacketCaptureStatus -ne "Running" -and $_.CaptureStartTime -lt (Get-Date).AddDays(-$Days) }

    Return $oldcaptures
function global:Get-AzSMAllResources {

        List all unused resources that this module implements in a tenant and subscription.
        List all unused resources that this module implements in a tenant and subscription.
    .PARAMETER SubscriptionID
        Azure subscription ID in the format, 00000000-0000-0000-0000-000000000000
        Azure tenant ID in the format, 00000000-0000-0000-0000-000000000000
        Set to the number of days to scan back for old captures.
        Default is 365 days old.
        Various objects.
        Get-AzSMAllResources -Subscription 00000000-0000-0000-0000-000000000000 -Tenant 00000000-0000-0000-0000-000000000000
        Gets a list of all supported unused and old resources in a tenant/subscription combination.
        *CANNOT be piped to any Remove- Azure command.


        [Parameter(Mandatory=$true)][string] $SubscriptionID,
        [Parameter(Mandatory=$true)][string] $TenantID,
        [Parameter(Mandatory=$false)][int] $Days = 365

    Connect-AzureAD -TenantId $TenantID|Out-Null
    Select-AzureRmSubscription -Subscription $SubscriptionID|Out-Null

    Write-Debug "Tenant ID: $TenantID"
    Write-Debug "Subscription ID: $SubscriptionID"
    Write-Debug "Days: $Days"
    Write-Host "Ununsed NICs:" -ForegroundColor Cyan
    Get-AzSMUnusedNICs -Subscription $SubscriptionID
    Write-Host "Ununsed NSGs:" -ForegroundColor Cyan
    Get-AzSMUnusedNSGs -Subscription $SubscriptionID
    Write-Host "Ununsed PIPs:" -ForegroundColor Cyan
    Get-AzSMUnusedPIPs -Subscription $SubscriptionID
    Write-Host "Disabled Alerts(Classic):" -ForegroundColor Cyan
    Get-AzSMDisabledAlerts -Subscription $SubscriptionID
    Write-Host "Disabled Log Alerts:" -ForegroundColor Cyan
    Get-AzSMDisabledLogAlerts -Subscription $SubscriptionID
    Write-Host "Empty Resource Groups:" -ForegroundColor Cyan
    Get-AzSMEmptyResourceGroups -Subscription $SubscriptionID
    Write-Host "Ununsed Alert Groups:" -ForegroundColor Cyan
    Get-AzSMUnusedAlertActionGroups -Subscription $SubscriptionID
    Write-Host "Ununsed Route Tables:" -ForegroundColor Cyan
    Get-AzSMUnusedRouteTables -Subscription $SubscriptionID
    Write-Host "VNets without Subnets:" -ForegroundColor Cyan
    Get-AzSMVNetsWithoutSubnets -Subscription $SubscriptionID
    Write-Host "Old Deployments older than $Days days:" -ForegroundColor Cyan
    Get-AzSMOldDeployments -Subscription $SubscriptionID
    Write-Host "Ununsed Disks:" -ForegroundColor Cyan
    Get-AzSMUnusedDisks -Subscription $SubscriptionID
    Write-Host "Empty AAD Groups:" -ForegroundColor Cyan
    Get-AzSMEmptyAADGroups -Subscription -TenantId $TenantID
    Write-Host "Disabled Logic Apps:" -ForegroundColor Cyan
    Get-AzSMDisabledLogicApps -Subscription $SubscriptionID
    Write-Host "Old Snapshots older than $Days days:" -ForegroundColor Cyan
    Get-AzSMOldSnapshots -Subscription $SubscriptionID
    Write-Host "ILBs with no backend pools:" -ForegroundColor Cyan
    Get-AzSMIlbNoBackendPool -Subscription $SubscriptionID

    Write-Host "Disabled TrafficManager Profiles:" -ForegroundColor Cyan
    Get-AzSMDisabledTrafficManagerProfiles -Subscription $SubscriptionID
    Write-Host "TrafficManager Profiles With No Endpoints:" -ForegroundColor Cyan
    Get-AzSMTrafficManagerProfilesWithNoEndpoints -Subscription $SubscriptionID

    Write-Host "Old Network Watcher packet captures" -ForegroundColor Cyan
    Get-AzSMOldNetworkCaptures -SubscriptionID $SubscriptionID