1

In azure ad application, We are giving permission to application and run our app. It give proper data, after doing this we remove all permission, then also we does not get unauthorized error. What is issue with Azure Ad permission? Is there cache issue, which we have to clear?

S. Deshmukh
  • 314
  • 4
  • 19
  • 1
    Possible duplicate of [azure app registration remove permissions](https://stackoverflow.com/questions/44901065/azure-app-registration-remove-permissions) – SunnySun Aug 03 '18 at 05:50

2 Answers2

2

I don't know how you revoked the permission for your application but I assume you used the Azure Portal. The most likely reason is that you forgot to hit the Grant permissions button:

enter image description here

Martin Brandl
  • 56,134
  • 13
  • 133
  • 172
  • 1
    And the reason the app can still make calls using the permission is that only the requirement was removed. The grant still exists. Granted permissions are not revoked even if the requirement is removed, the same way permissions are not granted when a requirement is added. Application permissions are implemented as roles that the service principal gets. In this case the SP still has the role, so it has access. – juunas Aug 03 '18 at 06:32
  • Thank you for your reply, We are using azure portal for permission. Thank you very much, But is their any way to remove permissions from Application? – S. Deshmukh Aug 03 '18 at 18:07
0

To revoke a permission isn’t currently available through the Portal. When you apply a permission a link is created between the application and service principal.

There are two types of permission grants between Applications and Service Principals.

Application grants are represented by AppRoleAssignments. These can be seen by using the graph api to get them for a particular Service Principal. Once you know the principal id for the permission you want to delete you can remove it using by sending a delete request to the delete endpoint. .

Delegated permission are represented by OAuth2PermissionGrants. Similar to AppRoleAsssignments there is a get method and a delete method.

Let me know if I need to make anything clearer or can help.

Pete Philters
  • 869
  • 5
  • 12