Removing an AppRole from an Application’s manifest produces a 400 Bad Request with the error
Property value cannot be deleted unless it is disabled first.
When I set the isEnabled property to false and then hit save, I get a successful saven with a 200 OK looking at the browsers developer tools:
After reloading the Edit manifest screen the isEnabled
property is still true
and if you look at the PUT response in the browsers developer tools, it's coming back as true
there too.
How can I remove an appRole without having to delete and recreate the entire application?
I've raised the following bug.
Deleting a device: Prevents it from accessing your Azure AD resources. Removes all details attached to the device. For example, BitLocker keys for Windows devices.
To do that, you need to go in the Azure Active Directory blade, and navigate to the Enterprise applications blade. Find your application and click on it. In your application, under the security section, click on the permissions blade. Within it, you should have the user consent tab.
To Delete the Application Role:
isEnabled
to false.Until this gets fixed, there two options to work around this issue:
Using Azure AD PowerShell, you can disable and then remove the app role. Here's a sample script that would achieve this:
$appId = "83d7d56d-6e64-4791-b8e8-9a8da8dd957e"
$appRoleValue = "app-role-value" # i.e. the scope
Connect-AzureAD
# Disable the AppRole
$app = Get-AzureADApplication -Filter "appId eq '$appId'"
($app.AppRoles | Where-Object { $_.Value -eq $appRoleValue }).IsEnabled = $false
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $app.AppRoles
# Remove the AppRole
$toRemove = $app.AppRoles | Where-Object { $_.Value -eq $appRoleValue }
$app.AppRoles.Remove($toRemove) | Out-Null
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $app.AppRoles
An alternative option is to user the Azure AD Graph Explorer and issue two PATCH
requests on the Application object. The first PATCH
request should set the app role's isEnabled
attribute to false
. The second PATCH
request can then remove the app role (i.e. include all existing app roles except the disabled one).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With