Unable to remove all App Registration App Roles.

[pmatthews05]

Describe the bug
I have created an App Registration, and now I'm trying to perform Adds, Updates and Deletes of App Roles.
I can Add, Update and Delete all but the last App Roles. The last App Role will always remain.

To Reproduce
I've created the following script.

$appId = "<AppId>"
$appReg = az ad app show --id $appId | ConvertFrom-Json

$AppRolesJson = '[{\"allowedMemberTypes\":[\"User\"],\"description\":\"Approvers can mark documents as approved\",\"displayName\":\"Approver\",\"isEnabled\":true,\"value\":\"approver\"}]'

# Loop through and disable first as no changes can be made when app role is enabled!
$currentAppRoles = $appReg.appRoles
$currentAppRoles | ForEach-Object { $_.isEnabled = $false }
$currentAppRolesJson = $($currentAppRoles | ConvertTo-Json -Depth:100 -Compress) -replace '"', '\"'
# If single array, brackets do not get added to string.
if($currentAppRoles.Count -lt 2){
 $currentAppRolesJson= "[$currentAppRolesJson]"
}
az ad app update --id $appId --app-roles $currentAppRolesJson

# Add / update / delete
az ad app update --id $appId --app-roles $AppRolesJson 

Now if you run the script again but change the $AppRolesJson to the following it will update and both will be in the app roles.

$AppRolesJson = '[{\"allowedMemberTypes\":[\"User\"],\"description\":\"Approvers can mark documents as approved\",\"displayName\":\"Approver\",\"isEnabled\":true,\"value\":\"approver\"},{\"allowedMemberTypes\":[\"Application\"],\"description\":\"Application Approvers can mark documents as approved\",\"displayName\":\"Approver\",\"isEnabled\":true,\"value\":\"approver.all\"}]'

Now if you run the script again but change the $AppRolesJson back to the original, it removes one of the app roles.

$AppRolesJson = '[{\"allowedMemberTypes\":[\"User\"],\"description\":\"Approvers can mark documents as approved\",\"displayName\":\"Approver\",\"isEnabled\":true,\"value\":\"approver\"}]'

Lastly, if you set $AppRolesJson to empty array it successfully succeeds, but it never removes the last App Role.

$AppRolesJson = '[ ]'

I have to put something in $AppRolesJson otherwise I get an error.

Expected behavior
To be able to clear all App Roles from an App Registration.

Environment summary
Installed AZ from MSI Windows installer.
CLI Version = 2.30.0
Windows 10
PowerShell Core. (7.2)

[yonzhan]

@jiasli for awareness

[jiasli]

az ad command module is currently not actively maintained. Please see #12946 for directly calling Microsoft Graph API with az rest.

[pmatthews05]

Hi @jiasli,
Thank you for replying and can see that az rest would be a workaround for now (although need to test if I still have the same issue using graph.microsoft.com instead).

Can you confirm if az ad will be maintained and converted to use https://graph.microsoft.com in time? Reason I'm asking is because other az calls such as az role assignment create when I check the calls it making using --debug I can see internally this is calling https://graph.windows.net.

My main concern is the number of az commands that are using https://graph.windows.net that isn't part of az ad

[jiasli]

Can you confirm if az ad will be maintained and converted to use https://graph.microsoft.com in time?

Yes. We are doing this right now!

[microsoft-github-policy-service]

🔔 Routing this issue to @act-identity-squad.