Azure AD-删除AppRoleAssignment不会禁用该应用程序 [英] Azure AD - Deleting an AppRoleAssignment didn't disable the application

问题描述

我正在使用一项应能够禁用用户应用程序的服务。这意味着对于特定的办公室帐户，请禁用针对Azure AD进行身份验证的特定应用程序。

为了测试我的服务，我订阅了2个Office 365 E1帐户和一个Azure试用。

为了测试应用的禁用功能，我下载了

I'm working on a service which should be able to disable a user's app. That means for a specific office account, disable a specific application that authenticates against Azure AD.

In order to test my service I subscribed for 2 office 365 E1 accounts and an azure trial.

For testing disabling of an app, I downloaded Nine on one of my mobile devices and connected with my Office-365 account.

Then I queried the Azure Graph API with the following REST requests:

1. GET <BASE>/users

   And extracted my user's ID which I will denote as [user-id]

   (BASE = https://graph.windows.net/[tenant-id]/)

   (All my urls ends with api-version=1.6)

2. GET <BASE>/servicePrincipals

   And extracted the Service Principal's ID for the one that had appDisplayName: "Nine for office 365". Which I will denote with [principle]

3. GET <BASE>/servicePrincipals/[principle]/appRoleAssignedTo

   And received:

   "odata.metadata":"https://graph.windows.net/[removed]/$metadata#directoryObjects/Microsoft.DirectoryServices.AppRoleAssignment", "value":[ { "odata.type":"Microsoft.DirectoryServices.AppRoleAssignment",
   "objectType":"AppRoleAssignment",
   "objectId":"[AppRoleAssignmentId]",
   "deletionTimestamp":null,
   "creationTimestamp":"2017-01-01T17:04:45.1033993Z",
   "id":"00000000-0000-0000-0000-000000000000",
   "principalDisplayName":"Tom",
   "principalId":"[removed]",
   "principalType":"User",
   "resourceDisplayName":"Nine for Office 365",
   "resourceId":"[principle]" },

4. And lastly -

   DELETE <BASE>/users/[user-id]/appRoleAssignments/[AppRoleAssignmentId]

   And received 204 as response code.

I queried again for the appRoleAssignment (As I did in section 3) and the one I deleted was actually removed, but, Nine could still sync with server and receive new messages. What am I missing?

解决方案

The AppRoleAssignment is used to record when a user or group is assigned to an application. Delete this record will not disable the application. More detail about this entity, you can refer here.

And to disable the application, I have answered in this thread. Please feel free to let me know whether you still have the problem.

Update( the option to enable for users assignment)

这篇关于Azure AD-删除AppRoleAssignment不会禁用该应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！