How to grant Azure CLI graph api permissions - azure

As far as I understand the azcli doesn't have an app registration in AAD, and now that it's possible to make rest calls from the azcli, how does one grant permissions that are required for certain calls?
$ az rest --method get --url https://graph.microsoft.com/beta/privilegedAccess/azureResources/roleAssignments?$filter=subjectId+eq+'xxxxxxx-xxxx-xxxx-xxx-xxxxxxxx'
Unauthorized({
"error": {
"code": "UnknownError",
"message": "{\"errorCode\":\"PermissionScopeNotGranted\",\"message\":\"Authorization failed due to missing permission scope PrivilegedAccess.Read.AzureResources,PrivilegedAccess.ReadWrite.AzureResources.\",\"target\":null,\"details\":null,\"innerError\":null,\"instanceAnnotations\":[],\"typeAnnotation\":null}",
"innerError": {
"date": "2021-02-18T09:31:46",
"request-id": "989c1555-aa84-45a7-8fd9-e168531fcf88",
"client-request-id": "989c1555-aa84-45a7-8fd9-e168531fcf88"
}
}
})

As Microsoft Graph REST API v1.0 is now GA, we can call it directly with az rest to achieve the same effect as az ad commands, including all latest features from Microsoft Graph. It can automatically authenticate to Microsoft Graph.
And, for this you will have to use v1.0 version of the API: https://graph.microsoft.com/v1.0 Using this, it should work.
Check out this GitHub Issue #12946 about the same for more details.

Related

How do I know which permissions I need to set up for an Microsoft Identity Platform/Azure AD/MSAL app?

I know how to register an all in Azure AD. I also know how to retrieve an access token with MSAL. When I make a request I get this error:
$ curl https://graph.microsoft.com/v1.0/me -H "Authorization: Bearer ${ACCESS_TOKEN}"
{
"error": {
"code": "ErrorInsufficientPermissionsInAccessToken",
"message": "Exception of type 'Microsoft.Fast.Profile.Core.Exception.ProfileAccessDeniedException' was thrown.",
"innerError": {
"date": "2022-06-11T18:41:12",
"request-id": "c5af5903-d4d1-4a6c-bdf4-9c059f865345",
"client-request-id": "c5af5903-d4d1-4a6c-bdf4-9c059f865345"
}
}
}
Is there a way to know which API permissions and scopes you need to set up from the error message?
Setting up API permissions and scopes depends on the request you are making to call Microsoft Graph.
You can find the required permissions for every Graph API request via Microsoft Graph REST API v1.0 reference
Please note that /me is used to get user information of signed-in user.
Check the below note while calling /me endpoint :
Required permissions for calling /me endpoint are:
I tested in my environment and got the profile successfully with Delegated permission like below:
API Permissions that I have given to the app:
You can find similar kind of problem raised in Microsoft Q&A below:
ErrorInsufficientPermissionsInAccessToken - Microsoft Q&A

Use MS Graph API and Postman to call Teams, Unsupported AAD Identity

I tried to create a call in Teams trough Microsoft Graph Api. I created a App with the given permissions but when i try to do the POST on: https://graph.microsoft.com/v1.0/communications/calls i get this error:
{
"error": {
"code": "UnknownError",
"message": "{\"errorCode\":\"7500\",\"message\":\"Unsupported AAD Identity.\",\"instanceAnnotations\":[]}",
"innerError": {
"date": "2020-11-11T14:38:43",
"request-id": "74ee843f-ba7e-4d87-b1e2-617c6fdce77c",
"client-request-id": "74ee843f-ba7e-4d87-b1e2-617c6fdce77c"
}
}
}
Token and everything looks good. If I change the token I get another error that this one is wrong.
To be honest my knowledge about Azure etc. is very low.
What Shiva said is right. You may have used a user token to call the API, so an error occurred. The API call currently only supports application tokens. You need to grant application permissions to the application and use the client credential flow to obtain Token.

Call Microsoft graph API using Azure B2C

I am trying to access Microsoft Graph API using Access token of b2c login.
Following are the endpoints azure portal showing.
As I feel we must be able to call https://graph.microsoft.com endpoints according to this. Please correct me if I am wrong. Then I generated access token as follows and Tried to call https://graph.microsoft.com/v1.0/me/ using that token.
The result is as follows.
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token validation failure.",
"innerError": {
"date": "2020-08-25T11:58:07",
"request-id": "c6a9ba06-d41e-49f7-ba94-f75478ce89b0"
}
}
}
I have granted API permissions as follows in my application too
This wont work. Use the Azure AD flows in your AAD B2C tenant.
https://learn.microsoft.com/en-us/graph/auth-v2-service

get all AAD groups in which service principal is added as member

I have a scenario, I need to write functional tests for my API(s). API uses Azure AD authentication. There are multiple roles in system and role of a user is decided on the basis of membership of different AD groups.
so for functional test I need different users with in different groups.
I created a service principals with contributor rights in subscription and added them in groups and granted following Microsoft graph Application type API permissions.
- Application.Read.All
- Directory.Read.All
Now I used these apis to complete my use case.
1- https://login.microsoftonline.com/{tenant-Id}/oauth2/token
to get the access token against service principal.
2- GET https://graph.microsoft.com/v1.0/me/memberOf
to get the list of user's groups. but i got following response with authentication token of service principal.
{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'xxxx471-bxxxa-45a2-b61b-18xxxxx42af88' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "fxxxxc41-319e-xxxx-xxxx-360xxxx58077",
"date": "2020-04-13T11:41:01"
}
}
}
I also have tried this
3- https://graph.microsoft.com/v1.0/users/{princialId}/memberOf
and get the following response
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'xxxxx-xxxx-xxxx-b61b-18421142af88' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "fxxxxc41-319e-xxxx-xxxx-360xxxx58077",
"date": "2020-04-14T05:59:03"
}
}
}
I have used object id of app registered in azure AD. when i searched service principal using power shell using following command I found different Object_Id than which is written on AD app on azure portal
command : get-AzureADServicePrincipal
with this Object_Id I was able to get service principal's groups using beta services.
https://graph.microsoft.com/beta/servicePrincipals/{object ID}/memberOf
anybody can explain why i was not able to get the groups of service principal using v1.0 service.
Thanks
anybody can explain why i was not able to get the groups of service principal using v1.0 service.
Because the v1.0 version does not support this API GET /servicePrincipals/{id}/memberOf , it just could be availale in the Beta version currently.
You could check this doc - List servicePrincipal memberOf, select the Version with 1.0, then it will give a prompt message like below.
I have used object id of app registered in azure AD. when i searched service principal using power shell using following command I found different Object_Id than which is written on AD app on azure portal
The Object Id of the service principal is not the same with that of the App Registration, the one you got from the powershell is correct, also, you can find it in the portal in the Enterprise applications like below.
I agree that beta service was not part of V1.0 but according to V1 documentation
https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/memberOf
should work.
please visit
https://learn.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http
Please find documetation image here

Azure AD B2C - Using Azure AD Graph API

I am calling the Azure AD Graph API using a local administrator token. I keep getting the following error messages, no matter what endpoint I call.
How do I get access to the Azure AD Graph API?
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
}
}
My URL
https://graph.windows.net/>tenant>/users/821d91b8-36e1-4b89-bd3a-4caecc40e4c9/memberOf?api-version=1.6
The Azure Graph API needs a special application registration alongside the application registration that users log in with.
Follow the guide below:
https://azure.microsoft.com/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/

Resources