在 Azure Active Directory 中对企业应用禁用用户登录Disable user sign-ins for an enterprise app in Azure Active Directory

可以轻松地禁用企业应用程序,防止用户在 Azure Active Directory (Azure AD) 中登录该程序。It's easy to disable an enterprise application so no users can sign in to it in Azure Active Directory (Azure AD). 你需要具有合适的权限才能管理企业应用。You need the appropriate permissions to manage the enterprise app. 而且,你必须是目录的全局管理员。And, you must be global admin for the directory.

如何禁用用户登录?How do I disable user sign-ins?

  1. 使用目录全局管理员的帐户登录到 Azure 门户Sign in to the Azure portal with an account that's a global admin for the directory.
  2. 选择“所有服务” ,在文本框中输入 Azure Active Directory,并选择“Enter” 。Select All services, enter Azure Active Directory in the text box, and then select Enter.
  3. 在“Azure Active Directory - 目录名”窗格(即,正在管理的目录的 Azure AD 窗格)中,选择“企业应用程序” 。On the Azure Active Directory - directoryname pane (that is, the Azure AD pane for the directory you're managing), select Enterprise applications.
  4. 在“企业应用程序 - 所有应用程序” 窗格上,你会看到你可以管理的应用的列表。On the Enterprise applications - All applications pane, you see a list of the apps you can manage. 选择一个应用。Select an app.
  5. appname 窗格(即标题中包含所选应用的名称的窗格)中,选择“属性” 。On the appname pane (that is, the pane with the name of the selected app in the title), select Properties.
  6. 在“appname - 属性” 窗格中,对“启用以让用户登录?” 设置选择“否” 。On the appname - Properties pane, select No for Enabled for users to sign-in?.
  7. 选择“保存” 命令。Select the Save command.

使用 Azure AD PowerShell 禁用未列出的应用Use Azure AD PowerShell to disable an unlisted app

如果你知道未出现在企业应用列表中的应用的 AppId(例如,因为你删除了该应用,或者由于该应用正在由 Microsoft 预授权而尚未创建服务主体),则可以手动创建该应用的服务主体,然后使用 AzureAD PowerShell cmdlet 将其禁用。If you know the AppId of an app that doesn't appear on the Enterprise apps list (for example, because you deleted the app or the service principal hasn't yet been created due to the app being pre-authorized by Microsoft), you can manually create the service principal for the app and then disable it by using AzureAD PowerShell cmdlet.

# The AppId of the app to be disabled
$appId = "{AppId}"

# Check if a service principal already exists for the app
$servicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
if ($servicePrincipal) {
    # Service principal exists already, disable it
    Set-AzureADServicePrincipal -ObjectId $servicePrincipal.ObjectId -AccountEnabled $false
} else {
    # Service principal does not yet exist, create it and disable it at the same time
    $servicePrincipal = New-AzureADServicePrincipal -AppId $appId -AccountEnabled $false
}

后续步骤Next steps