Azure AD-删除AppRoleAssignment不会禁用该应用程序 [英] Azure AD - Deleting an AppRoleAssignment didn't disable the application

查看:86
本文介绍了Azure AD-删除AppRoleAssignment不会禁用该应用程序的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在使用一项应能够禁用用户应用程序的服务。这意味着对于特定的办公室帐户,请禁用针对Azure AD进行身份验证的特定应用程序。



为了测试我的服务,我订阅了2个Office 365 E1帐户和一个Azure试用。



为了测试应用的禁用功能,我下载了


I'm working on a service which should be able to disable a user's app. That means for a specific office account, disable a specific application that authenticates against Azure AD.

In order to test my service I subscribed for 2 office 365 E1 accounts and an azure trial.

For testing disabling of an app, I downloaded Nine on one of my mobile devices and connected with my Office-365 account.

Then I queried the Azure Graph API with the following REST requests:

  1. GET <BASE>/users

    And extracted my user's ID which I will denote as [user-id]

    (BASE = https://graph.windows.net/[tenant-id]/)

    (All my urls ends with api-version=1.6)

  2. GET <BASE>/servicePrincipals

    And extracted the Service Principal's ID for the one that had appDisplayName: "Nine for office 365". Which I will denote with [principle]

  3. GET <BASE>/servicePrincipals/[principle]/appRoleAssignedTo

    And received:

    "odata.metadata":"https://graph.windows.net/[removed]/$metadata#directoryObjects/Microsoft.DirectoryServices.AppRoleAssignment", "value":[ { "odata.type":"Microsoft.DirectoryServices.AppRoleAssignment",
    "objectType":"AppRoleAssignment",
    "objectId":"[AppRoleAssignmentId]",
    "deletionTimestamp":null,
    "creationTimestamp":"2017-01-01T17:04:45.1033993Z",
    "id":"00000000-0000-0000-0000-000000000000",
    "principalDisplayName":"Tom",
    "principalId":"[removed]",
    "principalType":"User",
    "resourceDisplayName":"Nine for Office 365",
    "resourceId":"[principle]" },

  4. And lastly -

    DELETE <BASE>/users/[user-id]/appRoleAssignments/[AppRoleAssignmentId]

    And received 204 as response code.

I queried again for the appRoleAssignment (As I did in section 3) and the one I deleted was actually removed, but, Nine could still sync with server and receive new messages. What am I missing?

解决方案

The AppRoleAssignment is used to record when a user or group is assigned to an application. Delete this record will not disable the application. More detail about this entity, you can refer here.

And to disable the application, I have answered in this thread. Please feel free to let me know whether you still have the problem.

Update( the option to enable for users assignment)

这篇关于Azure AD-删除AppRoleAssignment不会禁用该应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆