在Azure Active Directory中删除应用程序的AppRole [英] Deleting an Application's AppRole in Azure Active Directory

问题描述

从应用清单中删除一个AppRole会产生一个错误为400的错误请求

Removing an AppRole from an Application’s manifest produces a 400 Bad Request with the error

除非先禁用它，否则无法删除该属性值.

Property value cannot be deleted unless it is disabled first.

当我将isEnabled属性设置为false并单击save时，通过浏览器开发人员工具，可以通过200 OK成功保存:

When I set the isEnabled property to false and then hit save, I get a successful saven with a 200 OK looking at the browsers developer tools:

重新加载编辑清单"屏幕后，isEnabled属性仍然是true，如果您在浏览器开发人员工具中查看PUT响应，它也会以true的形式返回.

After reloading the Edit manifest screen the isEnabled property is still true and if you look at the PUT response in the browsers developer tools, it's coming back as true there too.

如何删除一个appRole，而不必删除并重新创建整个应用程序?

How can I remove an appRole without having to delete and recreate the entire application?

我提出了以下推荐答案

在此解决之前，有两种方法可以解决此问题:

Until this gets fixed, there two options to work around this issue:

1. 使用Azure AD PowerShell，可以禁用然后删除应用程序角色.这是一个可以实现此目的的示例脚本:

1. Using Azure AD PowerShell, you can disable and then remove the app role. Here's a sample script that would achieve this:

$appId = "83d7d56d-6e64-4791-b8e8-9a8da8dd957e"
$appRoleValue = "app-role-value" # i.e. the scope

Connect-AzureAD

# Disable the AppRole
$app = Get-AzureADApplication -Filter "appId eq '$appId'"
($app.AppRoles | Where-Object { $_.Value -eq $appRoleValue }).IsEnabled = $false
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $app.AppRoles

# Remove the AppRole
$toRemove = $app.AppRoles | Where-Object { $_.Value -eq $appRoleValue }
$app.AppRoles.Remove($toRemove) | Out-Null
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $app.AppRoles

另一种选择是使用Azure AD Graph Explorer并在Application对象上发出两个PATCH请求.第一个PATCH请求应将应用程序角色的isEnabled属性设置为false.然后，第二个PATCH请求可以删除该应用程序角色(即，包括除禁用的角色以外的所有现有应用程序角色).

An alternative option is to user the Azure AD Graph Explorer and issue two PATCH requests on the Application object. The first PATCH request should set the app role's isEnabled attribute to false. The second PATCH request can then remove the app role (i.e. include all existing app roles except the disabled one).

这篇关于在Azure Active Directory中删除应用程序的AppRole的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！