Reputation: 189
Newly created Azure AD Application through code does not generate token with required roles
We are trying to create an Azure AD application with "ActivityFeed.Read" permission using Microsoft Graph client. The below sample successfully creates the application, but the token generated from this application, does not contain the role "ActivityFeed.Read". If we go to azure portal and make any simple changes to the newly created application and save it manually and wait for a minute, then the generated token has required roles.
public static void AddApplication()
{
ActiveDirectoryClient activeDirectoryClient = AuthenticationHelper.GetActiveDirectoryClientAsUser();
Application appObject = new Application { DisplayName = "MyNewTest" };
appObject.IdentifierUris.Add("https://localhost/MyNewTest/" + Guid.NewGuid());
appObject.ReplyUrls.Add("https://localhost/MyNewTest");
appObject.Homepage = "https://localhost/MyNewTest/home";
// Add Office 365 Management APIs
RequiredResourceAccess app1 = new RequiredResourceAccess();
app1.ResourceAppId = "c5393580-f805-4401-95e8-94b7a6ef2fc2";
//ActivityFeed.Read Role
app1.ResourceAccess.Add(new ResourceAccess() { Id = Guid.Parse("594c1fb6-4f81-4475-ae41-0c394909246c"), Type = "Role" });
appObject.RequiredResourceAccess.Add(app1);
PasswordCredential passWordCredential = new PasswordCredential
{
StartDate = DateTime.UtcNow,
EndDate = DateTime.UtcNow.AddYears(1),
Value = "xxxxxxxxxx"
};
appObject.PasswordCredentials.Add(passWordCredential);
activeDirectoryClient.Applications.AddApplicationAsync(appObject).Wait();
ServicePrincipal newServicePrincpal = new ServicePrincipal();
if (appObject != null)
{
newServicePrincpal.DisplayName = appObject.DisplayName;
newServicePrincpal.AccountEnabled = true;
newServicePrincpal.AppId = appObject.AppId;
activeDirectoryClient.ServicePrincipals.AddServicePrincipalAsync(newServicePrincpal).Wait();
}
}
Below is the decoded jwt token data for oauth2 authentication immediately after creating the new application.
{
"aud": "https://manage.office.com",
"iss": "https://sts.windows.net/de473ccc-dbc5-4625-8006-11e0e3ea8b7d/",
"iat": 1455531167,
"nbf": 1455531167,
"exp": 1455535067,
"appid": "71da9ffb-b583-43c4-bb7a-9c6e1fe30624",
"appidacr": "1",
"idp": "https://sts.windows.net/de473ccc-dbc5-4625-8006-11e0e3ea8b7d/",
"oid": "36a47844-98e8-44d5-b69e-cf114772d1d3",
"sub": "36a47844-98e8-44d5-b69e-cf114772d1d3",
"tid": "de473ccc-dbc5-4625-8006-11e0e3ea8b7d",
"ver": "1.0"
}
Below is the decoded jwt token data for oauth2 authentication, after we made some manual changes and saved it.
{
"aud": "https://manage.office.com",
"iss": "https://sts.windows.net/de473ccc-dbc5-4625-8006-11e0e3ea8b7d/",
"iat": 1455531317,
"nbf": 1455531317,
"exp": 1455535217,
"appid": "71da9ffb-b583-43c4-bb7a-9c6e1fe30624",
"appidacr": "1",
"idp": "https://sts.windows.net/de473ccc-dbc5-4625-8006-11e0e3ea8b7d/",
"oid": "36a47844-98e8-44d5-b69e-cf114772d1d3",
"roles": [
"ActivityFeed.Read"
],
"sub": "36a47844-98e8-44d5-b69e-cf114772d1d3",
"tid": "de473ccc-dbc5-4625-8006-11e0e3ea8b7d",
"ver": "1.0"
}
Please let us know how to programmatically create the application with required roles.
Upvotes: 2
Views: 745
Answers (1)
Reputation: 5838
This operation can be done through the Microsoft Graph too, but I'm answering based on AAD Graph, because AAD Graph has a client library, which you appear to be using.
When you go through the Azure Management Portal, it creates an app object, allows you to set the permissions that the app requires (which in general drives the consent experience). This is akin to the APIs you are calling to create an app object and set the RequiredResourceAccess. However, the Azure Management Portal also (within your dev tenant), creates the associated app instance (servicePrincipal) and records consent. It's that last part that you are missing in your code, and is why the app role does not show up in the token.
What you need to do is assign the ActivityFeed.Read Role to your servicePrincipal. This can be done with a POST on https://graph.windows.net//servicePrincipals//appRoleAssignments or through the AAD graph client library as your appear to be using it. The following should also work. (NOTE prior to 3/15/2016 we had a bug which prevented this operation from succeeding.)
// create the app role assignment
AppRoleAssignment appRoleAssignment = new AppRoleAssignment();
appRoleAssignment.Id = appRole.Id; // id for ActivityFeed.Read
appRoleAssignment.ResourceId = resourceId; //id for the resource
appRoleAssignment.PrincipalType = "ServicePrincipal";
appRoleAssignment.PrincipalId = Guid.Parse(newServicePrincipal.ObjectId);
newServicePrincipal.AppRoleAssignments.Add(appRoleAssignment);
// assign the app role
await newServicePrincipal.UpdateAsync();
UPDATE: The aforementioned bug has now been fixed. The code and REST API calls should now work as desired.
Hope this helps,
Upvotes: 2
Related Questions
- Azure AD v2 roles not included in Access Token
- Microsoft Graph API roles claim not in token but Application permissions added
- Authorization_RequestDenied on setting value for user key object using Microsoft Graph
- Retrieve User Details and Roles for an Azure AD application using Microsoft Graph API
- Microsoft Graph 'created' subscription is not working with application token
- Azure mulit-tenant application not getting tokens with newly defined scopes
- Microsoft Graph API: 403 Forbidden error when trying to retrieve policies on tenant
- Azure Graph API does not return newly updated data
- How can I create a microsoft azure ad user with 'mail' populated through azure or unified graph apis?
- iOS client: I can have user sign into Active Directory, but how to access MS Graph API?