locked
Can't revoke permissions to read directory to application RRS feed

  • Question

  • Hi,

    I have an active directory created in windows azure. I have created a cloud service application with vs 2013 using the wizard. After the wizard created the application entry in the main active directory, I have used the URL for granting access for the application on another active directory in azure (for multitenant application).  The permissions were granted in the other active directory. The issue I have is that after deleting the application in the main active directory, the application still appears in the tenant and using the windows azure web console doesn't allow me to revoke the permissions. I assume it fails loading the information of the application because the application no longer exists.

    After several test I've ended with multiple applications with the same name, and after deleting all the applications the applications are still listed in the tenants and I can't delete them.

    Is there a way to delete those entries in the active directories referencing the deleted applications

    Thanks

    Wednesday, March 12, 2014 10:05 PM

Answers

  • Thanks Alvaro.  You've hit on an issue that we don't fully support deletion of multi-tenant applications, in that we are not able to currently able to walk through all directories to find where an application is consented and remove it (we would have to do this as a background asynchronous job).

    That said, you should be able to manually delete the application from the consenting directory.  I'll follow up with the team.

    In the meantime (although a little painful) you can use Azure AD PowerShell to remove the application from the consenting directory.  First connect to the directory using admin credential (Connect-MsolService) and then list the set of applications using Get-MsolServicePrincipals.  Look for the one you want to delete, and use Remove-MsolServicePrincipal.


    Dan Kershaw [msft]


    Wednesday, March 12, 2014 10:23 PM

All replies

  • Thanks Alvaro.  You've hit on an issue that we don't fully support deletion of multi-tenant applications, in that we are not able to currently able to walk through all directories to find where an application is consented and remove it (we would have to do this as a background asynchronous job).

    That said, you should be able to manually delete the application from the consenting directory.  I'll follow up with the team.

    In the meantime (although a little painful) you can use Azure AD PowerShell to remove the application from the consenting directory.  First connect to the directory using admin credential (Connect-MsolService) and then list the set of applications using Get-MsolServicePrincipals.  Look for the one you want to delete, and use Remove-MsolServicePrincipal.


    Dan Kershaw [msft]


    Wednesday, March 12, 2014 10:23 PM
  • Thanks for the answer.  Could it be possible to have a link for a tutorial or example on how to run the commands? I'm not quite familiar with the Azure AD Powershell (I don't want to mess the configuracion of the AD)

    Thanks

    Wednesday, March 12, 2014 10:37 PM
  • http://msdn.microsoft.com/en-us/library/windowsazure/jj151815.aspx

    All cmdlets should be fully documented online, and through get-help in the cmdlet itself.


    Dan Kershaw [msft]

    Wednesday, March 12, 2014 10:41 PM
  • Hi,

    These are the commands I've used in case some other person has the same issue:

        $msolcred = get-credential
        connect-msolservice -credential $msolcred

    Save the list of principals to a text file (for easy reading)

        get-msolserviceprincipal > C:\temp\serv_principal.txt

    Look at the DisplayName field for your old application, and below that look for the ObjectId. Then run the command

        Remove-MsolServicePrincipal -ObjectId <YourObjectId>

    And that's it

    Thanks

    Thursday, March 13, 2014 2:59 PM