问题描述

我为我的 Azure AD 应用程序创建了一些应用程序角色，并为这些角色分配了一个用户.使用 Graph API，我可以很好地列出应用程序角色分配.

请求网址:

https://graph.microsoft.com/v1.0/servicePrincipals//appRoleAssignedTo

这是我得到的回复(部分为简洁起见):

{@odata.context":https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('<my-application-id>')/appRoleAssignedTo"，价值":[{id":
 解决方案 
@Joy 说的完全正确.我也在 Azure 门户和 MS 图形 API 中对此进行了多次测试.我发现所有旧作业都不起作用，所有新作业都可以正常工作的规则.所以，我也认为是从App roles | 迁移导致的bug.预览到应用角色.
目前，如果要删除旧的分配，只能删除企业应用程序，然后重新创建.(您删除企业应用不会删除应用注册中的应用).
刷新并重新创建:
添加:
是App 角色迁移导致的bug |预览到应用角色.这是 Azure AD 本身的错误.我已将错误信息报告给微软，微软应尽快解决！
I have created some app roles for my Azure AD application and assigned a user in those roles. Using Graph API, I can list the app role assignments just fine.
Request URL:
https://graph.microsoft.com/v1.0/servicePrincipals/<my-application-id>/appRoleAssignedTo
Here's the response I get (partial for the sake of brevity):
{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('<my-application-id>')/appRoleAssignedTo",
    "value": [
        {
            "id": "<app-role-assignment-id>",
            "deletedDateTime": null,
            "appRoleId": "<my-application-role-id>",
            "createdDateTime": "2021-04-16T00:50:28.7061339Z",
            "principalDisplayName": "User Name",
            "principalId": "<user-id>",
            "principalType": "User",
            "resourceDisplayName": "<my-application-name>",
            "resourceId": "<my-application-id>"
        },
...
However when I try to delete an app role assignment, I am getting the following error:
{
    "error": {
        "code": "Request_BadRequest",
        "message": "EntitlementGrant being updated or deleted is not found.",
        "innerError": {
            "date": "2021-04-20T15:08:28",
            "request-id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
            "client-request-id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
        }
    }
}

Request URL for delete:
https://graph.microsoft.com/v1.0/servicePrincipals/<my-application-id>/appRoleAssignedTo/<app-role-assignment-id>.
I am not sure what does this error message mean:
Would appreciate if someone can explain this to me.
I found another question with exact same issue - Microsoft Graph API: EntitlementGrant being updated or deleted is not found but that is marked as closed as not reproducible (which is surprising because it is certainly reproducible.
BTW, removing app role assignment from Azure Portal also does not work. Removing a user app role assignment is consistently failing with Microsoft.Online.DirectoryServices.DirectoryValueNotFoundException in the Azure Portal.
UPDATE
I get the following error messages in the audit logs:
 解决方案 
What @Joy said is absolutely correct. I have also tested this several times in Azure portal and MS graph api. I found a rule that all the old assignments not work, all the new assignments work fine. So, I also think it is a bug caused by the migration from App roles | Preview to App roles.
Currently, if you want to delete the old assignments, you can only delete the Enterprise Application and then create it again. (You delete the Enterprise Application will not delete the application in App registrations).
Refresh and create again:
Add:
It is a bug caused by the migration from App roles | Preview to App roles. This is an bug of Azure AD itself. I have reported the error message to Microsoft, and Microsoft should resolve it as soon as possible!
                        
这篇关于无法使用 Graph API 删除应用程序角色分配.未找到获取“正在更新或删除的 EntitlementGrant".错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！