Azure AD-禁用客户端的应用程序 [英] Azure AD - disable a client's application

问题描述

我想创建一个可以拒绝/撤消对用户的移动邮件应用程序的访问的服务.

I want to create a service that can deny\revoke access to a user's mobile mail application.

具体来说，我想使用 office365 在线交换邮件临时撤消对移动邮件客户端应用(如Nine)的访问权限，已被身份验证为 Azure Active Directory 应用程序.

To be specific, I want to temporarily revoke access to a mobile mail client app (like Nine) using office365 online exchange mail, which is authenticated as an Azure Active Directory application.

到目前为止，我已经知道如何执行类似或部分操作:

So far I figured out how to do similar or partial actions:

• 我可以使用以下链接手动撤消Azure AD应用程序:

• I can manually revoke azure AD apps using this link: https://account.activedirectory.windowsazure.com/applications/default.aspx

但是我没有找到用于管理Azure应用程序的 API .

But I didn't find an API for managing azure applications.

我通读了"Azure AD Graph API参考"，但找不到删除，更新用户详细信息甚至重设密码的任何方法.

I read through the 'Azure AD Graph API reference', but didn't find any way to delete, update a user's details or even to reset its password.

我还查看了office 365 API目录，其中大多数API用于处理用户的联系人，日历，邮件等，但没有用于管理用户的API. https://msdn.microsoft.com/office/office365/api/api-目录

I also looked at the office 365 API catalog, in which most of the APIs are for handling the user's contacts, calendar, mails etc... but no API for manging users. https://msdn.microsoft.com/office/office365/api/api-catalog

我应该使用哪个API来处理 outlook/AD用户或他们的授权应用?

Which API should I use in order to handle outlook/AD users or their authorized applications?

推荐答案

如果要禁用通过OAuth 2.0与Azure AD集成的应用程序，我们可以通过新门户禁用它，如下图所示:

If you want to disable the application which integrate with Azure AD through OAuth 2.0, we can disable it as figure below through the new portal:

切换您的Azure活动目录->所有应用程序->选择要管理的应用程序->属性->将选项已为用户登录启用设置为否 >.

Switch your Azure active directory->All applicaitons->Select the application you want to manage->Properties->Set the option Enabled for users sign-in to NO.

我们还可以使用Azure AD Graph更改此选项.这是示例请求供您参考.而其余的则需要Directory.AccessAsUser.All的许可，我们需要注册一个应用并将该许可分配给该应用，然后使用 admin 帐户登录.

We can also use the Azure AD Graph to change this option. Here is the sample request for your reference. And this rest require the permission of Directory.AccessAsUser.All, we need to register an app and assign this permission to the app and login-in with the admin account.

PATH: https://graph.windows.net/{tenantId}/servicePrincipals/{servicePrincipalId}?api-version=1.6
authorization: bearer {access_token}

{
     "accountEnabled":false
}

这篇关于Azure AD-禁用客户端的应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！