Azure Active Directory: assign user to an application from the gallery via Graph API

Question

I'd need to automate the process of adding an application from the gallery (i.e. Trello), configuring it (i.e. password single sign on) and assign users to it.

Can this be done via Graph API?

Answer 1

Yes. You can automate adding Trello to an Azure AD directory by creating a servicePrincipal in the directory corresponding to the Trello application. The default SSO setting is password SSO. You can also assign users (and groups) using graph API. However the assigned users will need to configure the password that they will use with the application manually.

Add Trello to the directory (create a servicePrincipal):

• appId is the application id of the Trello application. The value is a4937c28-17cc-469b-b082-1d6124a402f3 in all tenants.

HTTP POST https://graph.windows.net/7fe877e6-a150-4992-bbfe f517e304dfa0/servicePrincipals?api-version=1.5 Authorization : Bearer eyJ0eXO--snip--zvg Content-Type : application/json Content-Length : 58 { "appId": "a4937c28-17cc-469b-b082-1d6124a402f3" } Query successfully executed.

odata.metadata : https://graph.windows.net/7fe877e6-a150-4992-bbfe-f517e304dfa0/$metadata#directoryObjects/Microsoft.DirectorySer vices.ServicePrincipal/@Element odata.type : Microsoft.DirectoryServices.ServicePrincipal objectType : ServicePrincipal objectId : 93c60e8e-74f9-4add-9ae2-dd9bc0d6edcd deletionTimestamp : accountEnabled : True appDisplayName : Trello appId : a4937c28-17cc-469b-b082-1d6124a402f3 appOwnerTenantId : 47df5bb7-e6bc-4256-afb0-dd8c8e3c1ce8 appRoleAssignmentRequired : False appRoles : {@{allowedMemberTypes=System.Object[]; description=msiam_access; displayName=msiam_access; id=fc60bc23-43df-4a60-baaa-f0b8694e0259; isEnabled=True; value=}} displayName : Trello errorUrl : homepage : https://127.0.0.1:444/applications/default.aspx?metadata=trello|ISV9.3|primary|z keyCredentials : {} logoutUrl : oauth2Permissions : {} passwordCredentials : {} preferredTokenSigningKeyThumbprint : publisherName : Active Directory Application Registry replyUrls : {https://127.0.0.1:444/applications/default.aspx} samlMetadataUrl : servicePrincipalNames : {a4937c28-17cc-469b-b082-1d6124a402f3, http://adapplicationregistry.onmicrosoft.com/trello/primary} tags : {}

Assign principal (user or group) to Trello:

• resourceId is the objectId of the Trello servicePrincipal that get created in the tenant in the previous command.
• id is the default role id of Trello App. The value is fc60bc23-43df-4a60-baaa-f0b8694e0259 in all tenants.
• principalId is the objectId of the principal (user or group) that is being assigned to the app.

HTTP POST https://graph.windows.net/7fe877e6-a150-4992-bbfe-f517e304dfa0/users/de4b092e-1dd4-4d40-b74d-a2d7096c9495/appRoleAssignments?api-version=1.5 Authorization : Bearer eyJ0eXAiOi--snip--JKVBfk_Q Content-Type : application/json Content-Length : 176 { "id": "fc60bc23-43df-4a60-baaa-f0b8694e0259", "principalId": "de4b092e-1dd4-4d40-b74d-a2d7096c9495", "resourceId": "93c60e8e-74f9-4add-9ae2-dd9bc0d6edcd" } Query successfully executed. odata.metadata : https://graph.windows.net/7fe877e6-a150-4992-bbfe-f517e304dfa0/$metadata#directoryObjects/Microsoft.DirectoryServices.AppRoleA ssignment/@Element odata.type : Microsoft.DirectoryServices.AppRoleAssignment objectType : AppRoleAssignment objectId : LglL3tQdQE23TaLXCWyUlVPgf9W8rhZBi1YqpnYOyMg deletionTimestamp : creationTimestamp : 2015-01-29T05:52:12.4851494Z id : fc60bc23-43df-4a60-baaa-f0b8694e0259 principalDisplayName : principalId : de4b092e-1dd4-4d40-b74d-a2d7096c9495 principalType : User resourceDisplayName : Trello resourceId : 93c60e8e-74f9-4add-9ae2-dd9bc0d6edcd

The assigned user will see the app in their access panel (myapp.microsoft.com). They will need to update the credentials manually.