Reputation: 1554
How to add application to Azure AD using Microsoft.Azure.Management.Graph.RBAC.Fluent
I am using https://www.nuget.org/packages/Microsoft.Azure.Management.Fluent for creating resources in Azure programmatically. The package requires me to create an Azure AD Application which will be used by my console app to authenticate for the resource management api. So far so good - I created that AD app and use that in my console app, "normal" resource management is working fine.
Now I wanted to start to also programmatically create other Azure AD Applications using the https://www.nuget.org/packages/Microsoft.Azure.Management.Graph.RBAC.Fluent package, which is a direct dependency of the package mentioned above. While I can use the package e.g. for listing existing Azure AD Applications, I am getting authorization issues (401) as soon as I try to create new Azure AD applications with it. I tried playing around with the permissions I gave to the AD app used by the console app, but had no success.
Is there either a way to...
- give an Azure AD Application permission to create other Azure AD Applications (this is my preferred way), and if so, which are the permissions required?
- or to use the Microsoft.Azure.Management.Fluent package with an actual "human" user account that has the permissions required to create Azure AD Applications?
Upvotes: 0
Views: 801
Answers (1)
Reputation: 14649
The https://www.nuget.org/packages/Microsoft.Azure.Management.Graph.RBAC.Fluent package uses Azure AD Graph to create the application.
And there is no such app-only permission that we can create the application. As a alternative way we can grant the Directory.AccessAsUser.All permission for the Windows Azure Active Directory and the sign-in user with Global Admin for that tenant. Here is a figure which grant the specific permission for your reference:
Update
This library which using the Resource Owner Password Credentials Grant is designed for the native client application.
In this scenario, you can register an native client app which is public app that there is no secret. Or you can perform the Resource Owner Password Credentials Grant flow using the HttpClient class. Here is a piece of code for your reference:
HttpClient client = new HttpClient();
string body = String.Format("resource={0}&client_id={1}&client_secret={2}&grant_type=password&username={3}&password={4}", Uri.EscapeDataString("https://graph.windows.net"), "{clientId}", Uri.EscapeDataString("{client_secret}"), Uri.EscapeDataString("{userName}"), Uri.EscapeDataString("{password}"));
StringContent sc = new StringContent(body,Encoding.UTF8, "application/x-www-form-urlencoded");
var resoult= client.PostAsync("https://login.microsoftonline.com/xxx.onmicrosoft.com/oauth2/token", sc).Result.Content.ReadAsStringAsync().Result;
Console.WriteLine(resoult);
In addition, since the Resource Owner Password Credentials Grant flow use the users' username/password to authentication, please ensure that the you trust the client which run this app( refer Resource Owner Password Credentials Grant).
Upvotes: 1
Related Questions
- Register an Application in Azure AD using the graph API
- How to add Azure AD Application using application identifier
- Unable to add application assignment using Microsoft Graph API
- Programmatically register app in azure active directory using graph api
- Creating an AD application using .net
- How to create Azure AD application with the Graph API with portal experience
- Azure AD Add AppRoleAssignment
- How to assign user an application role in azure active directory using graph api 1.5?
- How to create a new Native Application for Azure AD through the Graph API
- Create application in Azure Active Directory using graph API fails