Azure AD-删除AppRoleAssignment不会禁用该应用程序 [英] Azure AD - Deleting an AppRoleAssignment didn't disable the application
问题描述
我正在使用一项应能够禁用用户应用程序的服务。这意味着对于特定的办公室帐户,请禁用针对Azure AD进行身份验证的特定应用程序。
为了测试我的服务,我订阅了2个Office 365 E1帐户和一个Azure试用。
为了测试应用的禁用功能,我下载了
I'm working on a service which should be able to disable a user's app. That means for a specific office account, disable a specific application that authenticates against Azure AD.
In order to test my service I subscribed for 2 office 365 E1 accounts and an azure trial.
For testing disabling of an app, I downloaded Nine on one of my mobile devices and connected with my Office-365 account.
Then I queried the Azure Graph API with the following REST requests:
GET <BASE>/users
And extracted my user's ID which I will denote as [user-id]
(BASE = https://graph.windows.net/[tenant-id]/)
(All my urls ends with api-version=1.6)
GET <BASE>/servicePrincipals
And extracted the Service Principal's ID for the one that had appDisplayName: "Nine for office 365". Which I will denote with [principle]
GET <BASE>/servicePrincipals/[principle]/appRoleAssignedTo
And received:
"odata.metadata":"https://graph.windows.net/[removed]/$metadata#directoryObjects/Microsoft.DirectoryServices.AppRoleAssignment", "value":[ { "odata.type":"Microsoft.DirectoryServices.AppRoleAssignment",
"objectType":"AppRoleAssignment",
"objectId":"[AppRoleAssignmentId]",
"deletionTimestamp":null,
"creationTimestamp":"2017-01-01T17:04:45.1033993Z",
"id":"00000000-0000-0000-0000-000000000000",
"principalDisplayName":"Tom",
"principalId":"[removed]",
"principalType":"User",
"resourceDisplayName":"Nine for Office 365",
"resourceId":"[principle]" },And lastly -
DELETE <BASE>/users/[user-id]/appRoleAssignments/[AppRoleAssignmentId]
And received 204 as response code.
I queried again for the appRoleAssignment (As I did in section 3) and the one I deleted was actually removed, but, Nine could still sync with server and receive new messages. What am I missing?
The AppRoleAssignment
is used to record when a user or group is assigned to an application. Delete this record will not disable the application. More detail about this entity, you can refer here.
And to disable the application, I have answered in this thread. Please feel free to let me know whether you still have the problem.
Update( the option to enable for users assignment)
这篇关于Azure AD-删除AppRoleAssignment不会禁用该应用程序的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!