Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Deleting an Application's AppRole in Azure Active Directory

Removing an AppRole from an Application’s manifest produces a 400 Bad Request with the error

Property value cannot be deleted unless it is disabled first.

When I set the isEnabled property to false and then hit save, I get a successful saven with a 200 OK looking at the browsers developer tools:

Before

After reloading the Edit manifest screen the isEnabled property is still true and if you look at the PUT response in the browsers developer tools, it's coming back as true there too.

After

How can I remove an appRole without having to delete and recreate the entire application?

Update

I've raised the following bug.

like image 667
Muhammad Rehan Saeed Avatar asked Apr 20 '17 10:04

Muhammad Rehan Saeed


People also ask

What does deleting a device in Azure AD do?

Deleting a device: Prevents it from accessing your Azure AD resources. Removes all details attached to the device. For example, BitLocker keys for Windows devices.

How do I remove consent from user?

To do that, you need to go in the Azure Active Directory blade, and navigate to the Enterprise applications blade. Find your application and click on it. In your application, under the security section, click on the permissions blade. Within it, you should have the user consent tab.


2 Answers

To Delete the Application Role:

  1. Go to application Manifest.
  2. App Role you want to delete, change the value of isEnabled to false.
  3. Save the manifest.
  4. Delete the that approle.
  5. Again save it.
like image 86
Rajat Negi Avatar answered Sep 20 '22 17:09

Rajat Negi


Until this gets fixed, there two options to work around this issue:

  1. Using Azure AD PowerShell, you can disable and then remove the app role. Here's a sample script that would achieve this:

    $appId = "83d7d56d-6e64-4791-b8e8-9a8da8dd957e"
    $appRoleValue = "app-role-value" # i.e. the scope
    
    Connect-AzureAD
    
    # Disable the AppRole
    $app = Get-AzureADApplication -Filter "appId eq '$appId'"
    ($app.AppRoles | Where-Object { $_.Value -eq $appRoleValue }).IsEnabled = $false
    Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $app.AppRoles
    
    # Remove the AppRole
    $toRemove = $app.AppRoles | Where-Object { $_.Value -eq $appRoleValue }
    $app.AppRoles.Remove($toRemove) | Out-Null
    Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $app.AppRoles
    
  2. An alternative option is to user the Azure AD Graph Explorer and issue two PATCH requests on the Application object. The first PATCH request should set the app role's isEnabled attribute to false. The second PATCH request can then remove the app role (i.e. include all existing app roles except the disabled one).

like image 27
Philippe Signoret Avatar answered Sep 20 '22 17:09

Philippe Signoret