Develop Reference

How to assign a contributor role of subcription to a serviceprincipal using api or how to use subscription object

I try assign a contributor role of subcription to a serviceprincipal using api.
Here is the information:
subcription ID:b59c6b1b-xxxxxxxxxx
serviceprincipal ID：73eb9e1e-xxxxxxxx
contributor ID: b24988ac-6180-42a0-ab88-20f7382dd24c(Azure built-in contributor role ID，I get it use 'az role definition list --query "[].{name:name, roleType:roleType, roleName:roleName}" --output tsv' by az cli.Is it right?)
I use the api like this
POST https://graph.microsoft.com/v1.0/servicePrincipals/b59c6b1b-xxxxxxxxxx/appRoleAssignedTo
Content-Type: application/json
Content-Length: 110
{
"principalId": "73eb9e1e-xxxxxxxx",
"resourceId": "b59c6b1b-xxxxxxxxxx",
"appRoleId": "b24988ac-6180-42a0-ab88-20f7382dd24c"
}
But I got the error respone like this
{
"error": {
"code": "Request_ResourceNotFound",
"innerError": {
"client-request-id": "4fed54c4-xxxxxxxxx",
"date": "2021-01-11T12:00:08",
"request-id": "4fed54c4-xxxxxxxxx"
},
"message": "Resource \u0027b59c6b1b-xxxxxxxxxxx\u0027 does not exist or one of its queried reference-property objects are not present."
}
}
It means that subcription didn't find by ID, in this example, I use subcription ID, I think may be I should use subcription ObjectID like other example resouce .But I don't find the method to get subcription ObjectID by using portal or api. Or maybe I fix error info into resourceID.So I want to know what infomation is I need to know to assign a contributor role of subcription to a serviceprincipal

You used the wrong API, this MS Graph API is to assign AAD App role to the service principal, what you need is to assign the RBAC role to the service principal in the subscription, you need to use this API - Role Assignments - Create, you could click the Try it button in this page, login your account and try it directly.
Make sure the client/user you used to get the token has the permission Microsoft.Authorization/roleAssignments/write to create the role assignment, e.g. User Access Administrator or Owner.
Sample:
PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentId}?api-version=2015-07-01
{
"properties": {
"roleDefinitionId": "/subscriptions/xxxxx/providers/Microsoft.Authorization/roleDefinitions/de139f84-1756-47ae-9be6-808fbbe84772",
"principalId": "xxxxxxx"
}
}
For more details, follow every steps in this doc.
Besides, if you can accept to use Azure CLI, you could use this command az role assignment create.

POST https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignedTo
Content-Type: application/json
Content-Length: 110
{
"principalId": "principalId-value",
"resourceId": "resourceId-value",
"appRoleId": "appRoleId-value"
}
Here the {id} and "resourceId" is the object id of the Service Principal.
You can get this in one of the two ways described below :
Option 1 :
From Portal :
Azure Active Directory >> App Registrations >> Select All Apps from the dropdown menu >> find your app and click on it.
Option 2 :
From Graph
Using GET /servicePrincipals
https://graph.microsoft.com/beta/serviceprincipals?$filter=startswith(displayName, 'Application-Name')
You will have to replace the Application name above.
The output of the above request will have the guid value under the id key.

Fetching the TenanId for a subscription from Azure Active Directory

I have a requirement, where I needed to fetch the tenantDirectoryId for a given subscription.
I could find a rest get api https://management.azure.com/subscriptions/[subscription]/versions...
The error response to this gave the tenant directory.
Is there any better way to fetch directory for a subscriptionId.

As of now (06/07/2018), an easy approach would be running az account show in the Azure Cloud Shell (requires a Storage Account) in the Azure Portal.
--- Command ---
az account show
--- Command Output ---
{
"environmentName": "AzureCloud",
"id": "{Subscription Id (GUID)}",
"isDefault": true,
"name": "{Subscription Name}",
"state": "Enabled",
"tenantId": "{Tenant Id (GUID)}",
"user": {
"cloudShellID": true,
"name": "{User email}",
"type": "user"
}
}
See this doc for more details on Azure Cloud Shell: https://learn.microsoft.com/en-us/azure/cloud-shell/overview

We have recently had the same problem we wanted to fix. After speaking to Microsoft there is no supported way to do this through the Graph API when accessing as an application using the client_credentialflow.
An approach we have taken to get the tenant id is to call the OAuth2 metadata document endpoint for your tenant
https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration
By calling this you’ll see your token endpoint as well as other useful information listed which you can utilise to log in. Or you can grab the tenant id using string stripping.

Removing application access to user from User interface by using Microsoft graph API or Azure AD graph api

I created admin console in the User interface where admin can perform all the operations such create, delete the user, assign applications to user and remove application access to users from the user interface
I tired to remove application access to the users from the User Interface by using Microsoft graph API and Azure AD graph api
i used following azure AD graph api
https://graph.windows.net/tenantid/users/{userId}/appRoleAssignments/{appId}?api-version=1.6
but it is showing the error when i tested in the postman "Invalid resource identifier for EntitlementGrant."
Idont know what to do can anyone help me about these error and how to resolve these problem.

You may be getting this error because you are trying to delete the application access using AppId of the application. Please make sure to use "AssignmentID" from Azure Portal which is unique ID of the specific role assignment and links the user/group and the service principal object.
Go to Azure Active Directory > Users > Select specific User > Applications > Select any application to navigate to "Assignment Details" blade.
See screenshot below -
This unique id is also available as "ObjectID" if querying application role assignments through Graph API -
https://graph.windows.net/{TenantID}/users/{UserID}/appRoleAssignments
Here is the sample output of the above API call.
"odata.metadata": "https://graph.windows.net/sasharms.onmicrosoft.com/$metadata#directoryObjects/Microsoft.DirectoryServices.AppRoleAssignment",
"value": [
{
"odata.type": "Microsoft.DirectoryServices.AppRoleAssignment",
"objectType": "AppRoleAssignment",
"objectId": "r7rDMrnDo0uCuwnosRwwzuziiF5B8s9FnsotYya5DMU",
"deletionTimestamp": null,
"creationTimestamp": "2018-05-10T14:10:49.8197813Z",
"id": "00000000-0000-0000-0000-000000000000",
"principalDisplayName": "SaurabhSharma",
"principalId": "32c3baaf-c3b9-4ba3-82bb-09e8b11c30ce",
"principalType": "User",
"resourceDisplayName": "WebAppOpenIdGraphApi",
"resourceId": "90658e39-2559-48fb-a27a-5e50cca94288"
}
This Id is ideally used for performing various operations against the application using any programmatic interfaces like PowerShell and Graph APIs.

Find out if and when admin consent was given

Is it possible to query the Graph API and find whether the directory administrator gave administrator consent for the application and when this was done?
If so, how would I go about this?

You would have to query the oauth2PermissionGrants. To get them you will have to know the object id of the application's service principal in the target directory. That one you can get if you know the app's client id.
For example if I query https://graph.windows.net/<tenant id>/servicePrincipals/6e56b47c-4c6e-40f5-aa95-16a0b1cb44fc/oauth2PermissionGrants from the Azure AD Graph API:
{
"odata.metadata": "https://graph.windows.net/<tenant id>/$metadata#oauth2PermissionGrants",
"value": [
{
"clientId": "6e56b47c-4c6e-40f5-aa95-16a0b1cb44fc",
"consentType": "AllPrincipals",
"expiryTime": "2017-12-19T09:25:32.3581755",
"objectId": "fLRWbm5M9UCqlRagsctE_M7PF6398j5LkfWqCoLpQBI",
"principalId": null,
"resourceId": "ad17cfce-f2fd-4b3e-91f5-aa0a82e94012",
"scope": "User.Read",
"startTime": "0001-01-01T00:00:00"
}
]
}
You can see this particular service principal has been granted the User.Read scope on the Azure AD Graph API for AllPrincipals, which means admin consent. If it was individual user consent, consentType would be Principal, with the principalId set to the id of the user who gave the consent.
Note you can't know when the consent was given.

Query users in custom Azure roles from an MVC app

I have defined custom roles in Azure in the application manifest as follows:
"allowedMemberTypes": [
"User"
],
"displayName": "Admin",
"id": "81e10148-16a8-432a-b86d-ef620c3e48ef",
"isEnabled": true,
"description": "Admins can manage roles and perform all task actions.",
"value": "Admin"
From my MVC application, I would like to query the users found in these roles. With Graph API, I am able to see the custom roles attached to the application but I am unable to query the users attached to these roles. Is it possible with the graph api?
Thanks. Any help is appreciated

We can get the roles which already assign to this application via the Azure Graph REST like below:
GET: https://graph.windows.net/{tenantId}/servicePrincipals/{servicePrincipalid}/appRoleAssignedTo?api-version=1.6
Bearer {accessToken}
Then we can get the filter the result using the id( custom appRole id, eg.81e10148-16a8-432a-b86d-ef620c3e48ef) and principalType(User) to get the specific roles which assign to users.
More detail about entity and complex type of Azure Graph REST you can refer here.