Remove-SPTrustedIdentityTokenIssuer : The trusted login provider is in use and cannot be deleted


I have a post about the Migration from Windows to ADFS which utilizes the creation of the -UseDefaultConfiguration switch. A few days ago, I created a Trusted Identity Provider with -UseDefaultConfiguration. I did not need it in my test farm anymore, so it was time to delete it.

This failed with this exception:

PS C:\windows\system32> Remove-SPTrustedIdentityTokenIssuer foo

Remove-SPTrustedIdentityTokenIssuer : The trusted login provider is in use and cannot be deleted.

At line:1 char:1

+ Remove-SPTrustedIdentityTokenIssuer foo

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidData: (Microsoft.Share...dentityProvider:SPCmdletRemoveSPIdentityProvider) [Remove-SPTrustedIdentityTok

enIssuer], InvalidOperationException

+ FullyQualifiedErrorId : Microsoft.SharePoint.PowerShell.SPCmdletRemoveSPIdentityProvider


Only Two Checks

There are only two reasons this exception is tossed when trying to remove the Trusted Identity Token Issuer.

  1. Use in the web application authentication providers
  2. Claim Provider with the same name as your Trusted Identity Token Issuer

The first is the obvious choice to check since the Trusted Identity Token Issuer cannot be deleted if used by a web application. If you have numerous web applications with many zones to check, this can take a long time. The PowerShell script below numerates all the web applications and their zones to display the authentications that are enabled in those zones.


#Use this to enumerate all authentication providers in use for every zone for every web application

#author: adamsor


$log = "C:\logs\authproviders.txt"

$wa = Get-SPWebApplication

foreach($webapp in $wa)


$aams = $webapp.alternateurls

foreach($aam in $aams)


Write-host $webapp.url $ -ForegroundColor DarkGreen

$url = $webapp.Url

$zone = $aam.Zone

"$url $zone" | out-file $log -Append -noclobber

Get-SPAuthenticationProvider -WebApplication $webapp -Zone $

Get-SPAuthenticationProvider -WebApplication $webapp -Zone $ | Out-File $log -Append -noclobber





Example of the output:

I checked the authentication providers. I have ADFSAdamsor in use and you can see the web application URL and zone at the top. Any that would come up we would just remove the that zone from using the Trusted Identity Token Issuer.


Claim Provider

The second check for Remove-SPTrustedIdentityTokenIssuer is Claim Providers that have the same name as the Trusted Identity Token Issuer.

Get-SPClaimProvider will display all the claim providers installed on the farm.

As the screenshot above shows, I have the claim provider that was created with -UseDefaultConfiguration. I was able to remove the claim provider then removed the Trusted Identity Token Issuer.

Remove-SPClaimProvider <NAME>

Remove-SPTrustedIdentityTokenIssuer <NAME>

Comments (1)

Skip to main content