2

I have registered an App in AAD. Then in required permissions I added alot of permissions for AAD and Office Graph. Then I removed all permissions but noticed my app kept working. Required Permissions is empty, but permissions still have all the permissions: Permissions

How can I remove all permissions from an App in AAD?

Thomas Segato
  • 4,567
  • 11
  • 55
  • 104

1 Answers1

1

After removing the permission, we need to grant permission to make the changing work. Here is a figure for your reference:

enter image description here

And we can confirm the permission is changed successfully by decoding the token from this site. You can see the roles or scope claim in the decoded token.

Fei Xue
  • 14,369
  • 1
  • 19
  • 27
  • 1
    Because I deleted The Microsoft Graph And AAD node i cant mark them. But I tried clicking the Grant permission button but i didnt change anything. Do I need to Add the nodes again and remove all the permissions? – Thomas Segato Jul 04 '17 at 09:36
  • The last part worked. I recreated required permissions for AAD and Graph and removed all permissions from each node. Then ot worked. Thanks for your help its highly apprecated! – Thomas Segato Jul 04 '17 at 09:39
  • Actually, there is no need to create the permission and remove them. If you doesn't want revoke the permission for the specific resource, you can just delete the resource and click the 'Grant Permission' button. And please ensure the the grant permissions successfully after you click that button. – Fei Xue Jul 04 '17 at 09:44
  • Ok, thanks. I tried removing the Graph API permissions and succeeded. I can see they are removed in the permission too. But I am still allowed to access all groups in the AAD. Kind of wierd. Anyway thanks for all your support! – Thomas Segato Jul 04 '17 at 10:03
  • 1
    After we re-grant the permission, it need to take some time to make the changing working. Please test it again after 10 minutes. – Fei Xue Jul 05 '17 at 06:34
  • 2
    I am having the same issue. Deleting the app does not remove its permissions. My calls are still working (Even after the 10 min caching) This seems like a big security issue or UX bug...It seems that by default, application have access to each other in the same Azure AD tenant... – Stephane May 17 '18 at 13:43