Deleting an Application's AppRole in Azure Active Directory

问题

Removing an AppRole from an Application’s manifest produces a 400 Bad Request with the error

Property value cannot be deleted unless it is disabled first.

When I set the isEnabled property to false and then hit save, I get a successful saven with a 200 OK looking at the browsers developer tools:

After reloading the Edit manifest screen the isEnabled property is still true and if you look at the PUT response in the browsers developer tools, it's coming back as true there too.

How can I remove an appRole without having to delete and recreate the entire application?

Update

I've raised the following bug.

回答1:

Until this gets fixed, there two options to work around this issue:

1. Using Azure AD PowerShell, you can disable and then remove the app role. Here's a sample script that would achieve this:

   $appId = "83d7d56d-6e64-4791-b8e8-9a8da8dd957e"
   $appRoleValue = "app-role-value" # i.e. the scope
   
   Connect-AzureAD
   
   # Disable the AppRole
   $app = Get-AzureADApplication -Filter "appId eq '$appId'"
   ($app.AppRoles | Where-Object { $_.Value -eq $appRoleValue }).IsEnabled = $false
   Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $app.AppRoles
   
   # Remove the AppRole
   $toRemove = $app.AppRoles | Where-Object { $_.Value -eq $appRoleValue }
   $app.AppRoles.Remove($toRemove) | Out-Null
   Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $app.AppRoles
   

2. An alternative option is to user the Azure AD Graph Explorer and issue two PATCH requests on the Application object. The first PATCH request should set the app role's isEnabled attribute to false. The second PATCH request can then remove the app role (i.e. include all existing app roles except the disabled one).

回答2:

This bug is fixed now. All you have to do is set isEnabled to false and save. Then you can delete the role and save again. A Work-around is not necessary.

回答3:

It seems a bug in new portal . The save operation doesn't save isEnabled to false on server side . Any feedback , you could post to here .

Currently , you could use Azure AD classic portal to modify the app roles in manifest(download the manifest and then upload manifest that changed) . Delete app roles in classic portal works fine in my environment . Please let me know if it helps.

回答4:

To Delete the Application Role:

1. Go to application Manifest.
2. App Role you want to delete, change the value of isEnabled to false.
3. Save the manifest.
4. Delete the that approle.
5. Again save it.

来源：https://stackoverflow.com/questions/43517110/deleting-an-applications-approle-in-azure-active-directory