Login/Register
Deleting an Application's AppRole in Azure Active Directory
Asked Answered
Solved azureazure-active-directoryazure-ad-graph-apiazure-ad-powershell-v2
K

7

13

Removing an AppRole from an Application’s manifest produces a 400 Bad Request with the error

Property value cannot be deleted unless it is disabled first.

When I set the isEnabled property to false and then hit save, I get a successful saven with a 200 OK looking at the browsers developer tools:

Before

After reloading the Edit manifest screen the isEnabled property is still true and if you look at the PUT response in the browsers developer tools, it's coming back as true there too.

After

How can I remove an appRole without having to delete and recreate the entire application?

Update

I've raised the following bug.

Kenyettakenyon answered 20/4, 2017 at 10:35 Comment(0)
C
3

Until this gets fixed, there two options to work around this issue:

  1. Using Azure AD PowerShell, you can disable and then remove the app role. Here's a sample script that would achieve this:

    $appId = "83d7d56d-6e64-4791-b8e8-9a8da8dd957e"
$appRoleValue = "app-role-value" # i.e. the scope

Connect-AzureAD

# Disable the AppRole
$app = Get-AzureADApplication -Filter "appId eq '$appId'"
($app.AppRoles | Where-Object { $_.Value -eq $appRoleValue }).IsEnabled = $false
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $app.AppRoles

# Remove the AppRole
$toRemove = $app.AppRoles | Where-Object { $_.Value -eq $appRoleValue }
$app.AppRoles.Remove($toRemove) | Out-Null
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $app.AppRoles

  2. An alternative option is to user the Azure AD Graph Explorer and issue two PATCH requests on the Application object. The first PATCH request should set the app role's isEnabled attribute to false. The second PATCH request can then remove the app role (i.e. include all existing app roles except the disabled one).

Comptom answered 1/12, 2017 at 14:5 Comment(0)
V
19

This bug is fixed now. All you have to do is set isEnabled to false and save. Then you can delete the role and save again. A Work-around is not necessary.

Venial answered 30/10, 2018 at 21:9 Comment(1)
Tried this simple solution also, out of curiosity, and it works perfectly.Trike
E
8

To Delete the Application Role:

  1. Go to application Manifest.
  2. App Role you want to delete, change the value of isEnabled to false.
  3. Save the manifest.
  4. Delete the that approle.
  5. Again save it.
Eastereasterday answered 5/7, 2019 at 9:26 Comment(1)
Note: This is only true post the Bug Fix mentioned by @JohnHenckelTipple
U
3

It seems a bug in new portal . The save operation doesn't save isEnabled to false on server side . Any feedback , you could post to here .

Currently , you could use Azure AD classic portal to modify the app roles in manifest(download the manifest and then upload manifest that changed) . Delete app roles in classic portal works fine in my environment . Please let me know if it helps.

Unstoppable answered 21/4, 2017 at 2:4 Comment(3)
I've raised the following bug.Kenyettakenyon
Annoyingly, I don't have access to the classic Azure portal. Is there some other way I can work around this bug? Is there any planned fix for it?Kenyettakenyon
I will check whether graph api works, but currently seems only classic portal could make it work without api/powershell .Unstoppable
C
3

Until this gets fixed, there two options to work around this issue:

  1. Using Azure AD PowerShell, you can disable and then remove the app role. Here's a sample script that would achieve this:

    $appId = "83d7d56d-6e64-4791-b8e8-9a8da8dd957e"
$appRoleValue = "app-role-value" # i.e. the scope

Connect-AzureAD

# Disable the AppRole
$app = Get-AzureADApplication -Filter "appId eq '$appId'"
($app.AppRoles | Where-Object { $_.Value -eq $appRoleValue }).IsEnabled = $false
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $app.AppRoles

# Remove the AppRole
$toRemove = $app.AppRoles | Where-Object { $_.Value -eq $appRoleValue }
$app.AppRoles.Remove($toRemove) | Out-Null
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $app.AppRoles

  2. An alternative option is to user the Azure AD Graph Explorer and issue two PATCH requests on the Application object. The first PATCH request should set the app role's isEnabled attribute to false. The second PATCH request can then remove the app role (i.e. include all existing app roles except the disabled one).

Comptom answered 1/12, 2017 at 14:5 Comment(0)
T
0

I have had the same error message Property value cannot be deleted unless it is disabled first. because I have created the scope on one page page and tried to add it manually in the Manifest on another web page. Little I knew the manifest was updated automatically and I just needed to reload it.

Thoroughwort answered 11/5, 2020 at 10:2 Comment(0)
G
0

You cannot delete the assigned roles which are enabled, you first have to set the flag isEnable to false and save the manifest for the roles which you want to delete like this -->"isEnabled": false in the manifest and now try to delete the whole appRoles part.

This is a two-step process but works.

Geaghan answered 2/7, 2020 at 10:49 Comment(0)
B
0

  • Navigate to your Application

  • Go to App Roles

    Snip

  • Click on the app role display name

  • Untick the checkbox to disable the Role

    Snip

  • Go back to the manifest and make changes to the appRoles section as you need

    Snip

  • Save and it should be updated

Bailly answered 17/6, 2022 at 11:31 Comment(2)
Welcome to Stack Overflow. Please read How do I format my posts using Markdown or HTML?Peruse
@Peruse thanks 👍. I'll defo read that...Bailly

© 2022 - 2024 — McMap. All rights reserved.