It looks like when you add application permission "Windows Azure Active directory" as Read and write directory data on your app from Classic Azure AD Portals, Azure Ad portal adds application servicePrincipal in Built-In Role "Directory
Writers" in background, and When removing the same permissions "Read and write directory data", Azure Ad portal does not remove application servicePrincipal from Directory Writers role. Leaving inconstancy and potentially a security
hole!
↧