在 Azure Active Directory 中删除企业应用的用户分配Remove a user assignment from an enterprise app in Azure Active Directory

可以轻松地在 Azure Active Directory (Azure AD) 中删除用户对企业应用程序的已分配访问权限。It's easy to remove a user from assigned access to one of your enterprise applications in Azure Active Directory (Azure AD). 你需要具有合适的权限才能管理企业应用。You need the appropriate permissions to manage the enterprise app. 而且,你必须是目录的全局管理员。And, you must be global admin for the directory.

备注

对于 Microsoft 应用程序(例如 Office 365 应用),请使用 PowerShell 删除到企业应用的用户分配。For Microsoft Applications (such as Office 365 apps), use PowerShell to remove users to an enterprise app.

如何在 Azure 门户中删除到企业应用的用户分配?How do I remove a user assignment to an enterprise app in the Azure portal?

  1. 使用目录全局管理员的帐户登录到 Azure 门户Sign in to the Azure portal with an account that's a global admin for the directory.
  2. 选择“所有服务” ,在文本框中输入 Azure Active Directory,并选择“Enter” 。Select All services, enter Azure Active Directory in the text box, and then select Enter.
  3. 在“Azure Active Directory - directoryname”页面(即,正在管理的目录的 Azure AD 页面)上,选择“企业应用程序”。 On the Azure Active Directory - directoryname page (that is, the Azure AD page for the directory you're managing), select Enterprise applications.
  4. 在“企业应用程序 - 所有应用程序” 页上,你会看到你可以管理的应用的列表。On the Enterprise applications - All applications page, you'll see a list of the apps you can manage. 选择一个应用。Select an app.
  5. appname 概览页面(即标题中包含所选应用的名称的页面)上,选择“用户和组” 。On the appname overview page (that is, the page with the name of the selected app in the title), select Users & Groups.
  6. 在“appname - 用户”页面上,选择一个或多个用户,然后选择“删除”命令。 On the appname - User page, select one of more users and then select the Remove command. 出现提示时确认所作的决定。Confirm your decision at the prompt.

如何使用 PowerShell 删除到企业应用的用户分配?How do I remove a user assignment to an enterprise app using PowerShell?

  1. 以提升的权限打开 Windows PowerShell 命令提示符。Open an elevated Windows PowerShell command prompt.

    备注

    需要安装 AzureAD 模块(使用命令 Install-Module -Name AzureAD)。You need to install the AzureAD module (use the command Install-Module -Name AzureAD). 出现安装 NuGet 模块或新的 Azure Active Directory V2 PowerShell 模块的提示时,请键入 Y,然后按 ENTER。If prompted to install a NuGet module or the new Azure Active Directory V2 PowerShell module, type Y and press ENTER.

  2. 运行 Connect-AzureAD -AzureEnvironmentName AzureChinaCloud 并使用全局管理员用户帐户登录。Run Connect-AzureAD -AzureEnvironmentName AzureChinaCloud and sign in with a Global Admin user account.

  3. 使用以下脚本将用户和角色从应用程序中删除:Use the following script to remove a user and role from an application:

    # Store the proper parameters
    $user = get-azureaduser -ObjectId <objectId>
    $spo = Get-AzureADServicePrincipal -ObjectId <objectId>
    
    #Get the ID of role assignment 
    $assignments = Get-AzureADServiceAppRoleAssignment -ObjectId $spo.ObjectId | Where {$_.PrincipalDisplayName -eq $user.DisplayName}
    
    #if you run the following, it will show you what is assigned what
    $assignments | Select *
    
    #To remove the App role assignment run the following command.
    Remove-AzureADServiceAppRoleAssignment -ObjectId $spo.ObjectId -AppRoleAssignmentId $assignments[assignment #].ObjectId
    

后续步骤Next steps