How do I delete an AppRoleAssignment using the Azure Active Directory .NET SDK?

Question

I'm trying to figure out how to delete an AppRoleAssignment from either an Group or a User using the Graph API for Azure Active Directory. I'm using the .NET SDK ( Microsoft.Azure.ActiveDirectory.GraphClient ).

I've tried using the standard DeleteAsync method that's on every IEntityBase , but it fails with an error. It's issuing an HTTP request that looks like this:

DELETE /{tenantId}/directoryObjects/{appRoleAssignment ObjectID}/Microsoft.DirectoryServices.AppRoleAssignment?api-version=1.5

which fails with a 400 Bad Request with the error "Direct queries to this resource type are not supported."

This isn't the correct way to delete AppRoleAssignments using the Graph API according to this Microsoft blog post which says you need to do an HTTP request that looks like:

DELETE /{tenantId}/users/{user object ID}/appRoleAssignments/{appRoleAs}?api-version=1.5

If I do a manual HTTP request using HttpClient using that URL format, it works, but I want to know how to do this within the bounds of the .NET library rather than doing manual HTTP requests myself.

How do I delete AppRoleAssignments via the .NET library?

Answer 1

While it is not fixed, you can make a manual HTTP-request, but still using Azure AD SDK to acqure the token. Something like this:

var tenantId = "<guid> tenant id";
var appId = "<guid> your Azure app id";
var appKey = "your app key";
var authority = "i.e. https://login.windows.net/mycompany.onmicrosoft.com";
var graphUrl = "https://graph.windows.net/";

public async Task RemoveRoleFromUser(Guid userId, string roleObjectId) {
    var uri = string.Format("{0}/users/{1}/appRoleAssignments/{2}?api-version=1.5", tenantId, userId, roleObjectId);
    await ExecuteRequest<object>(uri, HttpMethod.Delete);
}

private async Task<T> ExecuteRequest<T>(string uri, HttpMethod method = null, Object body = null) where T : class {
    if (method == null) method = HttpMethod.Get;
    T response;
    var token = await AcquireTokenAsyncForApplication();
    using (var httpClient = new HttpClient { BaseAddress = getServicePointUri() }) {
        var request = new HttpRequestMessage(method, uri);
        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
        if (body != null) {
            request.Content = new StringContent(JsonConvert.SerializeObject(body), Encoding.UTF8, "application/json");
        }
        var responseMessage = await httpClient.SendAsync(request).ConfigureAwait(false);
        responseMessage.EnsureSuccessStatusCode();
        response = await responseMessage.Content.ReadAsAsync<T>();
    }
    return response;
}

private async Task<string> AcquireTokenAsyncForApplication() {
    ClientCredential clientCred = new ClientCredential(appId, appKey);
    var authenticationContext = new AuthenticationContext(authority, false);
    AuthenticationResult authenticationResult = authenticationContext.AcquireToken(graphUrl, clientCred);
    return authenticationResult.AccessToken;
}

private Uri getServicePointUri() {
    Uri servicePointUri = new Uri(graphUrl);
    Uri serviceRoot = new Uri(servicePointUri, tenantId);
    return serviceRoot;
}

Answer 2

ActiveDirectoryClient client = AuthenticationHelper.GetActiveDirectoryClient();
user = (User) await client.Users.GetByObjectId(objectId).ExecuteAsync();

var roleId = "";
await user.AppRoleAssignments.Where(t=>t.ObjectId==roleId).FirstOrDefault().DeleteAsync();

The following websites might be helpful:
https://github.com/AzureADSamples/WebApp-RoleClaims-DotNet https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet