Clever Geek Handbook

Removing AppRole App in Azure Active Directory

Removing AppRole from Application Manifest raises 400 Bad Request with error

The property value cannot be removed unless it is disabled first.

When I set the isEnabled property to false and then remove save, I get a successful 200 OK shroud, looking at the browser developer tools:

Before

After reloading the Edit Manifest screen, the property isEnabled

is still there true

, and if you look at the PUT response in the browser developer tools, it reappears as true

.

After

How can I remove the appRole without having to delete and re-create the entire application?

Update

I added the following bug .

+4


source to share


4 answers


Until this is fixed, there are two possibilities for solving this problem:



  • Using Azure AD PowerShell, you can disable and then remove the application role. Here's a sample script that will achieve this:

    $appId = "83d7d56d-6e64-4791-b8e8-9a8da8dd957e"
$appRoleValue = "app-role-value" # i.e. the scope

Connect-AzureAD

# Disable the AppRole
$app = Get-AzureADApplication -Filter "appId eq '$appId'"
($app.AppRoles | Where-Object { $_.Value -eq $appRoleValue }).IsEnabled = $false
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $app.AppRoles

# Remove the AppRole
$toRemove = $app.AppRoles | Where-Object { $_.Value -eq $appRoleValue }
$app.AppRoles.Remove($toRemove) | Out-Null
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $app.AppRoles

  • An alternative is to use the Azure AD Graph Explorer and issue two PATCH

    requests to the Application object. The first PATCH

    request is to set the application role attribute isEnabled

    to false

    . The second request PATCH

    can remove the application role (i.e. enable all existing application roles except the disabled one).

+2


source


This bug has been fixed. All you have to do is set it isEnabled

to false and save. Then you can delete the role and save again. No workaround required.



+4


source


There seems to be a bug in the new portal. The save operation does not store isEnabled

false on the server side. Any feedback you can send to here .

Currently, you can use the classic Azure AD portal to change the application roles in the manifest (upload the manifest and then upload the manifest that was changed). Removing an application role in classic portal works great in my environment. Please let me know if this helps.

+2


source


To remove an application role:

  1. Go to the application manifest.
  2. Change the role of the application you want to remove isEnabled

    to false.
  3. Save the manifest.
  4. Delete what matches.
  5. Save it again.
0


source






More articles:


All Articles