I'm working on a service which should be able to disable a user's app. That means for a specific office account, disable a specific application that authenticates against Azure AD.

In order to test my service I subscribed for 2 office 365 E1 accounts and an azure trial.

For testing disabling of an app, I downloaded Nine on one of my mobile devices and connected with my Office-365 account.

Then I queried the Azure Graph API with the following REST requests:

1. GET <BASE>/users

   And extracted my user's ID which I will denote as [user-id]

   (BASE = https://graph.windows.net/[tenant-id]/)

   (All my urls ends with api-version=1.6)

2. GET <BASE>/servicePrincipals

   And extracted the Service Principal's ID for the one that had appDisplayName: "Nine for office 365". Which I will denote with [principle]

3. GET <BASE>/servicePrincipals/[principle]/appRoleAssignedTo

   And received:

   "odata.metadata":"https://graph.windows.net/[removed]/$metadata#directoryObjects/Microsoft.DirectoryServices.AppRoleAssignment", "value":[ { "odata.type":"Microsoft.DirectoryServices.AppRoleAssignment",
   "objectType":"AppRoleAssignment",
   "objectId":"[AppRoleAssignmentId]",
   "deletionTimestamp":null,
   "creationTimestamp":"2017-01-01T17:04:45.1033993Z",
   "id":"00000000-0000-0000-0000-000000000000",
   "principalDisplayName":"Tom",
   "principalId":"[removed]",
   "principalType":"User",
   "resourceDisplayName":"Nine for Office 365",
   "resourceId":"[principle]" },

4. And lastly -

   DELETE <BASE>/users/[user-id]/appRoleAssignments/[AppRoleAssignmentId]

   And received 204 as response code.

I queried again for the appRoleAssignment (As I did in section 3) and the one I deleted was actually removed, but, Nine could still sync with server and receive new messages. What am I missing?

The AppRoleAssignment is used to record when a user or group is assigned to an application. Delete this record will not disable the application. More detail about this entity, you can refer here.

And to disable the application, I have answered in this thread. Please feel free to let me know whether you still have the problem.

Update( the option to enable for users assignment)