From what I read, AppRoleAssignment.ReadWrite.All should allow application to use Microsoft Graph SDK to do app role management programmatically. But how do I grant permission such that the application principal can only allow to manage it's own role but not other enterprise application?
The goal is to build a role management page in the web application to allow designated users to add/remove user to an app role for the same application without granting them access to the Azure portal.
Unfortunately, it's impossible currently.
Although we can add the user as the admin of the application principal on Azure portal and then we can do anything to the application principal on Azure portal, calling Microsoft Graph is different. It has to rely on the permission of Azure AD app.
But the Microsoft Graph permission AppRoleAssignment.ReadWrite.All is for all the application principals.
If you click on "F12" to open the developer tool of Chrome, you will find that the Azure Portal is using another API to finish the operation.
I tried to add my user as the admin of only one application principal through Powershell, but it still doesn't work for Microsoft Graph.
You can go to Microsoft Graph user voice to make a request to get the attention of the product group.
Related
My Azure account is under company's AD, and once i tried to create an App using Azure Devops, when trying to create New Service connection, this error pops up,
What permission do my account needs to perform this action ?
Thanks in advance.
You need the "Creator" permission:
Members of this role can create the service connection in the project. Contributors are added as members by default
Please find more information in the Microsoft documentation User permissions
Microsoft documentation for Manage service connections
The problem lies in not having privileges to create app registrations in the Azure Active Directory tenant. There are several roles that have permission for this operation. According to the docs it also depends on whether non-admin users can create app registrations.
Some Built-in roles that can be used are Application Administrator
Users in this role can create and manage all aspects of enterprise applications, application registrations, and application proxy settings. Note that users assigned to this role are not added as owners when creating new application registrations or enterprise applications.
or Application Developer
Users in this role can create application registrations when the "Users can register applications" setting is set to No. This role also grants permission to consent on one's own behalf when the "Users can consent to apps accessing company data on their behalf" setting is set to No. Users assigned to this role are added as owners when creating new application registrations.
Further to:
API Permission Issue while Azure App Registration
and
Why is "Application permissions" disabled in Azure AD's "Request API permissions"?
I cannot activate the Application Permissions button in the API permissions when I am trying to register an application in Active Directory. I have created the roles (several times) and ensured all of the properties are correct as described in both posts and in https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-registration - including that it the role is set for application, . I am using the default directory of my Azure account. I am the only member in my directory and am a member of global administrators.
Is there something else I am missing?
My end goal is simply to use the .Net SDK to manage the firewall on an application service using a client secret that can be distributed with an application.
Here is the manifest
Okay, so you want an app registration to manage an App Service through Azure Resource Management API as itself with client credentials flow?
In that case you don't need to assign any application permissions to your app.
You need to create the app, and then go to e.g. the App Service resource's Access Control (IAM) tab, and add the needed role to your app there.
The reason that the app permissions tab there is grey is because the Azure Service Management app registration (which you can't edit) does not define any app permissions.
When you define an app permission in the manifest, that becomes a permission that other applications could use to call your API, not Azure Resource Management API.
Is there something else I am missing?
The reason Applications Permissions is greyed out for you is because Azure Service Management API only allows Delegated Permissions i.e. this API will be always be executed in context of the signed-in user. In other words, a user (even if it is a Service Principal) must always be present when executing this API.
You mentioned that you wanted to execute Service Management API using a client secret. For that there are two things you would need to do:
As mentioned by #junnas, you will need to assign your application (which is a Service Principal) a proper Azure RBAC role on an Azure Subscription. Please see this link for more details: https://learn.microsoft.com/en-us/azure/role-based-access-control/overview.
You will need to acquire token for this Service Principal using client id and client secret. You can use ClientSecretCredential for that purpose.
I have developed a domain-based modeling tool and code-generator that provides the ability to capture domain models per DDD and automatically generates ASP.Net Web API microservices.
I also created an Azure B2C CLI tool that uses MS Graph API to programmatically generate an Azure B2C AD Application for each Web ASP.NET Web API of which includes all possible scopes that are applied to protect some of the generated Web API operations.
As some of these generated API services often interact with other generated services via REST and/or gRPC, the Azure B2C CLI tool also adds the list of dependent API permissions that would be required by each Web API in order to integrate with the other Web API.
My Azure B2C CLI tool works great and is creating/updating the underlying Azure B2C Web/API application per each domain service within the Home Tenant along with the necessary Service Principal.
Currently I still need to log into the Azure Portal in order to grant the API permissions per each B2C Application.
My Question is : Is it possible to automate the granting of the API Permissions using the B2C Application that I am using to create these same B2C Web/API applications ?
It seems like this should be possible as the Azure B2C CLI tool's B2C Application is the owner of these created Apps.
To help illustrate and support my question I have included some screen shots below.
To begin, the following image shows the permission set that my Azure B2C CLI tool runs under in order to create the other B2C applications for each Web API via MS Graph API.
On each pass, the Azure B2C CLI tool processes a particular domain model to understand the definition for each domain service within that model and will automatically create a series of B2C applications within Azure B2C per each service in a particular domain model.
The following domain model has 4 domain services which results with 4 B2C Apps being generated by my Azure B2C CLI tool as illustrated below ..
The Azure B2C CLI tool creates as many permission scope items per API operation and adds that to the underlying API OAuthPermissionScopes. Here is a few examples of generated permission scopes services for "WorkSpace" and "SharedServices" Web API's...
The Azure B2C CLI also adds any API permissions to each generated B2C API Application. The following example shows that "CoreServices" API requires permissions from both the "SharedServices" App API and the "WorkSpace" App API
Once that is completed I can log into the Azure Portal and Grant these permissions, manually, per each API.
Instead of granting these manually I would like to programmatically grant these permissions via MS Graph within the Azure B2C CLI tool I've created.
The code-generator domain modeling tool will be producing 100's upon 100's of services so I want to automate securing the generated domain services as much as possible, including granting of API permissions.
What is the MS Graph API to allow me to fully automate this process within my Azure B2C CLI tool?
Microsoft Graph doesn't support the "grant admin consent" feature currently.
AAD Graph has an endpoint https://graph.windows.net/myorganization/consentToApp?api-version=2.0 which is used to grant admin consent but it is only available within Microsoft. Calling this endpoint from outside will get this error.
You could consider using Azure CLI cmd az ad app permission grant or az ad app permission admin-consent --id $appid. See reference here.
There is a difference between the 2 cmds. You can find more details from my previous answer.
I created a Azure Active Directory via the Azure portal. Then, I registered an app in it. I can configure it, add permissions and the like via the azure portal. But the same app I created, I don't see on https://apps.dev.microsoft.com/
Shouldn't I be able to see and configure the app I made in AD at that portal, too?
The apps that appear in the Application Registration Portal are the ones where you are explicitly marked as an owner of the application. This is in contrast to the apps that appear in the Azure Portal which are all the applications registered in your tenant, independent of whether or not your are an owner.
If you are a normal user, and you create an application in the Azure Portal, you should see your application appear in a section called "Azure AD only applications"
Here is the owner information for "Email Scraper" from the Azure Portal.
However, if you are a Tenant Administrator and you create an application, you will not be marked as an owner of the application. Implicitly, Tenant Administrators are owners of all objects in the directory, and to reduce the object quota generated by admins, these explicit links are not created.
Here is an example of an app I created where I am the Tenant Administrator:
Therefore, you probably do not see your application in the App Registration Portal because you are not marked as an Owner of the application, probably because you are an Administrator who created the app, or you did not create the app to begin with. You can remedy this by simply adding yourself to the owner list in the Azure Portal.
Let me know if this helps!
I tried to grant delegated permissions to webApi using azure.portal.com.
Two web App/API application was register on azure AD. When i try to use 'Settings->RequiredPermissions->Add->Select an API' i not see my created application in list.
Same problem for old azure portal described on Granting native application access to web application
But new portal not fixed with previous solution.
Could anyone help, please ?
The Azure AD app registration blades in portal.azure.com are currently not creating a servicePrincipal in the tenant when you register your application. This means that the API you create will not show up in the list of apps to select from. More detail in this blog post