Reputation: 23
Microsoft Graph - Why permission/scope "Group.ReadWrite.All" is able to do PATCH on user profile properties?
Tool: postman
- Created azure ad app, granted app-only permission
Group.ReadWrite.Allfor Microsoft Graph app, the app has standard delegation permissions as "Sign-in and read user profile on" "Windows Azure Active Directory" app. - Requested token for AzureAD graph api at endpoint https://login.windows.net/ with resource parameter "https://graph.windows.net", using client credential grant flows;
- Got token back
- Used the token and did a GET on a User OK
- Did a PATCH on a user ( modification went successfully with http code 204 back);
This looks very strange to me, why an app was able to do patch on a user in azure ad when app is only granted Group.ReadWrite.All on Microsoft Graph API?
Upvotes: 0
Views: 1891
Answers (2)
Reputation: 23
There are two issues here;
Issue #1) Wrong documentaiton for Add Owner graph.microsoft.io/en-us/docs/api-reference/v1.0/api/… (One of the following scopes is required to execute this API: Group.ReadWrite.All or Directory.ReadWrite.All or Directory.AccessAsUser.All), It requires both Directory.ReadWrite.All AND Group.ReadWrite.All ,
Issue #2) Azure AD portal does not remove Application service principal from Directory Writer Role if you remove "Read and write directory data" permission from Windowes AzureAD App
Upvotes: 0
Reputation: 5838
We are working on an experience in the new Azure portal to "consent/approve" the app in your tenant. Until then, you'll need to follow the final step in the instructions that go with this sample app (to consent the app): https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console. After doing so, you should see a "roles" claim in the access token (containing Group.ReadWrite.All).
The other issue you are reporting (it looks like your app has been added to the Directory Writers role, enabling your app to be able to perform more than just group manipulation) - this will require some more investigation, as this should not be happening. Will report back.
Hope this helps,
Upvotes: 0
Related Questions
- Group.ReadWrite.All scope clarification
- Unable to modify existing properties of groups from Graph API
- Microsoft Graph Api User.Read.All Not granted for my domain
- Adding a group member fails with the application level "GroupMember.ReadWrite.All" permissions - works with "Group.ReadWrite.All"
- Unable to add members to O365 group with Group.ReadWrite.All permission
- Microsoft Graph scope "Domain.ReadWrite.All"
- Microsoft Graph API permissions changes not propagating using Azure Active Directory
- Azure AD b2b "Read all users' basic profiles" permission
- Microsoft Graph API - new delegated permission removing application permissions
- Set (EduRoster.Read.All, EduRoster.ReadWrite.All) Application Permissions