Reputation: 189
We are trying to create an Azure AD application with "ActivityFeed.Read" permission using Microsoft Graph client. The below sample successfully creates the application, but the token generated from this application, does not contain the role "ActivityFeed.Read". If we go to azure portal and make any simple changes to the newly created application and save it manually and wait for a minute, then the generated token has required roles.
public static void AddApplication()
{
ActiveDirectoryClient activeDirectoryClient = AuthenticationHelper.GetActiveDirectoryClientAsUser();
Application appObject = new Application { DisplayName = "MyNewTest" };
appObject.IdentifierUris.Add("https://localhost/MyNewTest/" + Guid.NewGuid());
appObject.ReplyUrls.Add("https://localhost/MyNewTest");
appObject.Homepage = "https://localhost/MyNewTest/home";
// Add Office 365 Management APIs
RequiredResourceAccess app1 = new RequiredResourceAccess();
app1.ResourceAppId = "c5393580-f805-4401-95e8-94b7a6ef2fc2";
//ActivityFeed.Read Role
app1.ResourceAccess.Add(new ResourceAccess() { Id = Guid.Parse("594c1fb6-4f81-4475-ae41-0c394909246c"), Type = "Role" });
appObject.RequiredResourceAccess.Add(app1);
PasswordCredential passWordCredential = new PasswordCredential
{
StartDate = DateTime.UtcNow,
EndDate = DateTime.UtcNow.AddYears(1),
Value = "xxxxxxxxxx"
};
appObject.PasswordCredentials.Add(passWordCredential);
activeDirectoryClient.Applications.AddApplicationAsync(appObject).Wait();
ServicePrincipal newServicePrincpal = new ServicePrincipal();
if (appObject != null)
{
newServicePrincpal.DisplayName = appObject.DisplayName;
newServicePrincpal.AccountEnabled = true;
newServicePrincpal.AppId = appObject.AppId;
activeDirectoryClient.ServicePrincipals.AddServicePrincipalAsync(newServicePrincpal).Wait();
}
}
Below is the decoded jwt token data for oauth2 authentication immediately after creating the new application.
{
"aud": "https://manage.office.com",
"iss": "https://sts.windows.net/de473ccc-dbc5-4625-8006-11e0e3ea8b7d/",
"iat": 1455531167,
"nbf": 1455531167,
"exp": 1455535067,
"appid": "71da9ffb-b583-43c4-bb7a-9c6e1fe30624",
"appidacr": "1",
"idp": "https://sts.windows.net/de473ccc-dbc5-4625-8006-11e0e3ea8b7d/",
"oid": "36a47844-98e8-44d5-b69e-cf114772d1d3",
"sub": "36a47844-98e8-44d5-b69e-cf114772d1d3",
"tid": "de473ccc-dbc5-4625-8006-11e0e3ea8b7d",
"ver": "1.0"
}
Below is the decoded jwt token data for oauth2 authentication, after we made some manual changes and saved it.
{
"aud": "https://manage.office.com",
"iss": "https://sts.windows.net/de473ccc-dbc5-4625-8006-11e0e3ea8b7d/",
"iat": 1455531317,
"nbf": 1455531317,
"exp": 1455535217,
"appid": "71da9ffb-b583-43c4-bb7a-9c6e1fe30624",
"appidacr": "1",
"idp": "https://sts.windows.net/de473ccc-dbc5-4625-8006-11e0e3ea8b7d/",
"oid": "36a47844-98e8-44d5-b69e-cf114772d1d3",
"roles": [
"ActivityFeed.Read"
],
"sub": "36a47844-98e8-44d5-b69e-cf114772d1d3",
"tid": "de473ccc-dbc5-4625-8006-11e0e3ea8b7d",
"ver": "1.0"
}
Please let us know how to programmatically create the application with required roles.
Upvotes: 2
Views: 745
Reputation: 5838
This operation can be done through the Microsoft Graph too, but I'm answering based on AAD Graph, because AAD Graph has a client library, which you appear to be using.
When you go through the Azure Management Portal, it creates an app object, allows you to set the permissions that the app requires (which in general drives the consent experience). This is akin to the APIs you are calling to create an app object and set the RequiredResourceAccess. However, the Azure Management Portal also (within your dev tenant), creates the associated app instance (servicePrincipal) and records consent. It's that last part that you are missing in your code, and is why the app role does not show up in the token.
What you need to do is assign the ActivityFeed.Read Role to your servicePrincipal. This can be done with a POST on https://graph.windows.net//servicePrincipals//appRoleAssignments or through the AAD graph client library as your appear to be using it. The following should also work. (NOTE prior to 3/15/2016 we had a bug which prevented this operation from succeeding.)
// create the app role assignment
AppRoleAssignment appRoleAssignment = new AppRoleAssignment();
appRoleAssignment.Id = appRole.Id; // id for ActivityFeed.Read
appRoleAssignment.ResourceId = resourceId; //id for the resource
appRoleAssignment.PrincipalType = "ServicePrincipal";
appRoleAssignment.PrincipalId = Guid.Parse(newServicePrincipal.ObjectId);
newServicePrincipal.AppRoleAssignments.Add(appRoleAssignment);
// assign the app role
await newServicePrincipal.UpdateAsync();
UPDATE: The aforementioned bug has now been fixed. The code and REST API calls should now work as desired.
Hope this helps,
Upvotes: 2