I want to install app to microsoft teams using Microsoft graph api. But it requires "AppCatalog.ReadWrite.All" permission which is missing in v2 app registraion portal.(https://apps.dev.microsoft.com).
Do I need to switch from v2 to v1 app?
No, you don't need to—you can request this permission using the preview experience for App registrations. First, find your app in the preview experience. Navigate to API permissions and click the Add a permission button. Select Microsoft Graph, then select Delegated permissions. Locate the AppCatalog.ReadWrite.All permission and select it. Lastly, click Add permissions.
Related
I am curious if there is a way to create custom permissions for the 365 management api to be used for an app registration.
I would like to collect activity data of a select group of users instead of using the out of the box permission ActivityFeed.Read which seems to grant read permission to the entire organisation.
365 Management API - screenshot
Yes, you can create custom API permissions for the App registration.
Go to Azure Ad Admin Center, select Azure Active Directory and select your application:
In the manifest, check for the oauth2Permissions section and add the custom permissions in the above section:
To know how to do it in detail, please refer below link:
Custom Permissions in Azure AD Applications by Andrew Connell
So I'm using Power Automate to connect the API for Azure Cost Management Usage Specifically this guy:
https://learn.microsoft.com/en-us/rest/api/consumption/usage-details/list?tabs=HTTP
However, Powerautoamte, though it has an ADAuth with Oauth2 option, requires something called an "Audience?" and really I have no idea what to put here.
I have indeed registered an app, gave it the user-impresonation permission, approved it for my domain, and generated a client/secret for that app. All I need is the "Audience"
The Audience is the API which your AAD app has permissions on.
To find this URL, try to navigate to Azure AD and App Registration, then select your Application, and click on API Permissions.
Select API / Permissions name which should popup the permission details along with the used API.
For example my AAD app has Microsoft Graph permissions
If I select Microsoft Graph row or click on one of the permissions the popup shows details
The URL https://graph.microsoft.com/ represents the Audience in my case.
You are probably using Azure Service Management, so in your case the Audience will be https://management.azure.com/
I have set up a Azure Active Directory App so that I can access the Microsoft Graph API with MSAL. However, I want to perform API calls without a user (https://learn.microsoft.com/en-us/graph/auth-v2-service) and as such I have added a few permissions that require "Admin consent" to my app. However, I cannot find a way to grant my app these permissions.
I've tried looking around the Azure portal for a way to grant these permissions but without success. I have also tried using the https://login.microsoftonline.com/{tenant}/adminconsent&... link to grant permissions, but unsucessfully so.
The response I received was
AADSTS500201: We are unable to issue tokens from this API version for
a Microsoft account. Please contact the application vendor as they
need to use version 2.0 of the protocol to support this.
I do not have an Azure subscription (not even the free one), but seeing as I was able to add apps to Azure AD as well as get access tokens and then make API calls on behalf of the authorized users I assumed I might not need a subscription.
I just made another app and now I have the grant consent button when I open the API Permissions view.
I have a following application architecture:
Angular 5 client
C# Web API protected by Azure tokens
The client and the API are registered in Azure app registrations and the client correctly authenticates against the API endpoints with the token. So I am getting the data which I need. So far, so good.
But then, I would like to make the API layer (server-side) to fetch some data from Microsoft Graph (e.g. a simple "Me" request, https://graph.microsoft.com/v1.0/me/) . I was trying to use the token which the client sends to the API, and to create a token using the app secret. Both approaches gives me an insufficient privileges error from the MS Graph side.
What am I doing wrong?
Make sure you set the App Registration to have rights to access Microsoft Graph. You can do so by going to the application registration, and...
Click Settings
Go to Required permissions
Click Add
Click Select an API
Select Microsoft Graph and click Select
Under Application Permissions, check the correct permissions
Click Select to select the permissions, then Done to finish adding API access.
IMPORTANT!
Click the Grant permissions button to actually grant the permissions to the application. An admin has to grant these permissions, you can do so by clicking the button. Any changes you make in the permissions you enable for the application require you to explicitly grant the permissions by clicking the button.
More information, about for instance Application Permissions vs Delegated Permissions, can be found in this article: HowTo: invite AAD user with Microsoft Graph
I think this should be an easy fix but I've been looking at it for hours. I downloaded this sample on using ADAL with Xamarin and I'm just trying to get it to work as expected in the UWP project.
I am pretty sure my issue is in my Azure Portal configuration as I've changed the values in the sample correctly. Here is what I have done in Azure Portal though
Made an Active Directory
Made an application in that directory for a native app
Configured these permissions and granted all permissions on each for now - Windows Azure Active Directory, Microsoft Graph, Windows Azure Service Management, Office 365 Management APIs
In the app, after signing in, the app posts a AADSTSTS65001 the user or administrator has not consented to the use the application with id {id}
-but I never actually get a consent prompt, and I am already a user in the active directory.
Any ideas?
After build Msal is the supported library that handles ad authentication. So for xamarin you could check the samples for the newest library
Consent only gets triggered once per user (unless admin consent is performed in which case it doesn't show up at all for users).
Once consent granted, any changes to what permissions the app needs are not automatically added to existing consents nor does the system automatically prompt the user again for consent.
I suspect this might be your case, basically you started out setting up your app to required basic priviledges, ran the app and consented. Then you added more priviledges, some of which required admin consent, and ran the app. Because you had already consented, you weren't prompted again, but that initial consent didn't include those new permissions so you get an error.
You should be able to remove existing consent via Access Panel:
Go to https://myapps.microsoft.com
Find your app and click on ...
Select Remove.
NOTE: You can also do this via Graph but it requires a lengthy explanation.
There is a way to manually trigger the consent through the browser too if this is a once-only issue.
https://login.microsoftonline.com/<tenant>/oauth2/authorize?client_id=<client ID>&response_type=code&redirect_uri=<redirectionURI>&response_mode=query&resource=<resource ID for the AAD resource to access>&state=12345&prompt=consent