Share via

Microsoft Identity : How to correctly remove/revoke application permissions from a client application?

AzureSDE 116 Reputation points
2020-09-30T22:20:27.433+00:00

I am new to Microsoft Identity Platform and I am relying on the below video from MSFT to guide me to how to set up application-to-application roles/permissions.

https://www.youtube.com/watch?v=IIQ7QW4bYqA&list=PLLasX02E8BPBxGouWlJV-u-XZWOc2RkiX&index=4

I was able to add app roles and see the roles/permissions in access tokens. However, I am having an issue getting a role/permission removed/revoked from the client app.

Below are the steps I have taken.

  1. Created a web api and an Azure Function "client" application that accesses the web api.
  2. Registered both applications in the Azure "App Registrations"
  3. Web Api Registration:
    • Under "Expose an API", I added the Azure Function to the "Authorized client applications"
    • Added two application roles ('Role1', 'Role2') to the Web Api manifest
    "appRoles": [
    {
    "allowedMemberTypes": [
    "Application"
    ],
    "description": "Test Role2",
    "displayName": "Role2",
    "id": "...",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": "Role2"
    },
    {
    "allowedMemberTypes": [
    "Application"
    ],
    "description": "Test",
    "displayName": "Role1",
    "id": "...",
    "isEnabled": true,
    "lang": null,
    "origin": "Application",
    "value": "Role1"
    }
    ],
  4. Azure Function Client App Registration:
    • Under "ApI Permissions", I added the two permissions ('Role1', 'Role2') that I configured for the Web API on step #3

Everything was working as expected at this point. Then, I navigated to the App Registration on the portal and removed one of the permissions from the Azure Function App but access tokens still show both of the permissions ('Role1', 'Role2'). I expected to see only 1.

{
  "aud": "...",
  "iss": "https://login.microsoftonline.com/.../v2.0",
  "iat": 1601492229,
  "nbf": 1601492229,
  "exp": 1601496129,
  "aio": "...",
  "azp": "...",
  "azpacr": "1",
  "oid": "...",
  "rh": "0.AAAAo...",
  "roles": [
    "Role1",
    "Role2"
  ],
  "sub": "...",
  "tid": "...",
  "uti": "...",
  "ver": "2.0"
}

What's the correct way to remove application permissions from a client application?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,876 Reputation points Moderator
    2020-10-01T07:47:29.077+00:00

    Hello @AzureSDE

    Welcome to QnA platform and thank you for your query. Based on the information that you shared, I understood that you have below setup:

    • App1(Web API) exposed as API with Role1 and Role2 added as scope.
    • App2(Client App) where Role1 and Role2 scopes from App1 are added as API permissions.

    Since you are using Application Roles, when you request for a token the scope which needs to be used is "/.default" e.g. https://example.com/App1/.default, and you will get both roles in the token. In this case you can't pass a specific scope in your request like https://example.com/App1/Role1. For Application permissions ./default is the only accepted scope, which returns all scopes added under API permissions blade of the Client App (App2).

    As you have mentioned, you removed Role2 from the API permissions blade of App2. In that case, you should only get Role1 in the token when the scope in the authentication request is https://example.com/App1/.default

    In short, all you need to do is remove the permissions from API permissions blade of your client application and you shouldn't get that role in the token after that. Make sure you revoke admin consent and remove the permission and acquire a new token after that.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AzureSDE 116 Reputation points
    2020-10-01T16:02:01.427+00:00

    @AmanpreetSingh-MSFT - Thank you for your explanation. I am actually using "/.default" when I request for an access token. 

         var tenant = "TENANTXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX";  
            var scopes = new[] { $"https://mywebapi/odata/.default" };  
            string authority = $"https://login.microsoftonline.com/{tenant}/";  
            var confidentialClientApplicationOptions = new ConfidentialClientApplicationOptions  
            {  
                Instance = $"https://login.microsoftonline.com/{tenant}",  
                ClientId = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",  
                TenantId = tenant,  
                ClientSecret = "[deleted]"  
            };  
            var application = ConfidentialClientApplicationBuilder  
                .CreateWithApplicationOptions(confidentialClientApplicationOptions)  
                .WithAuthority(authority).Build();  
            var result = await application.AcquireTokenForClient(scopes:  
                scopes).ExecuteAsync();

    Does the Portal Admin need to do anything with the admin consent in order to make the removal correctly propagated? The removed role is currently listed under the "Other permissions granted" on the portal and its status is "Granted".

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.