Reputation: 8214
How can I assign access to an application provisioned in Azure via the Graph API?
We have several applications that rely on Azure AD to provision access. Having to manually assign access to each individual user is long-winded and I was looking to automate this process via the Graph API.
I'm using PowerShell to do so and I can successfully authenticate with the API and make calls to identify users etc.
What I'm struggling with is assigning access to an application programmatically.
According to the documentation this appears to only exist in the Beta version. https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/approleassignment_update
However when I use the Graph Explorer this method is not shown by intellisense. https://developer.microsoft.com/en-us/graph/graph-explorer
If I try to call it anyway I get the error:
Unsupported segment type
This suggests to me that this method does not exist and was simply not removed from the documentation.
There's an open issue on the GitHub for Graph HERE.
There are some SO threads that had a reply from an MSFT and then no resolution HERE
I found a C# sample which looks like it might do this but it obscures the details away behind libraries and I don't want to maintain a C# application.
I cannot find any information on whether this is even possible via the Graph API. Given that some of these posts are a year old I'd be surprised if Microsoft hadn't moved forward with this. All I can see are documents referring to the old Graph API which AFAIK is no longer used.
Is is possible to assign access to an application provisioned in Azure using just REST and the Graph API?
Upvotes: 1
Views: 248
Answers (1)
Reputation: 14649
Based on my understanding, we can use the Azure Graph REST to achieve the same goal.
Here is the code for your reference:
public async void AssignRoleToUser()
{
var client = GraphHelper.CreateGraphClient();
ServicePrincipal servicePrincipal = (ServicePrincipal)client.ServicePrincipals.GetByObjectId("d90b4929-a2d5-43bc-8fc0-1e0adb640575").ExecuteAsync().Result;
Microsoft.Azure.ActiveDirectory.GraphClient.User user =(Microsoft.Azure.ActiveDirectory.GraphClient.User)client.Users.GetByObjectId("b2d2cadd-21f5-4021-beb5-7b23ebd5364c").ExecuteAsync().Result;
AppRoleAssignment appRoleAssignment = new AppRoleAssignment();
// just use a known appRole id for this example
appRoleAssignment.Id = servicePrincipal.AppRoles.FirstOrDefault().Id;
// the service principal to add the group with the app role
appRoleAssignment.ResourceId = Guid.Parse(servicePrincipal.ObjectId);
appRoleAssignment.PrincipalType = "User";
// the id of the user
appRoleAssignment.PrincipalId = Guid.Parse("b2d2cadd-21f5-4021-beb5-7b23ebd5364c");
user.AppRoleAssignments.Add(appRoleAssignment);
await user.UpdateAsync();
}
In addition, if you doesn't sepcify the customization role, you must use the default id (zero GUID).
More detail about Azure AD Graph entity reference, you can refer here.
Update
POST:https://graph.windows.net/{tenantId}/directoryObjects/{userId}/Microsoft.DirectoryServices.User/appRoleAssignments?api-version=1.6
{
"odata.type":"Microsoft.DirectoryServices.AppRoleAssignment",
"id":"{roleId}",
"principalId":"{userId}",
"principalType":"User",
"resourceId":"{servicePrincipalId}"
}
Upvotes: 1
Related Questions
- Microsoft graph API: permission grant for application (app roles) (NOT delegate via Oauth2PermissionGrants)
- Register an Application in Azure AD using the graph API
- Powershell AzureAD App Registration Permissions New-AzureADApplication -RequiredResourceAccess
- Powershell - Do "Grant Permissions" action on Azure AD Application with Powershell
- Create azure application through Az module and assign API permissions using powershell
- Giving access to third party application
- Proper apps permissions from azure AD to grant access on Microsoft Graph
- Access Azure Graph API on behalf of application rather than user
- Assign access to users AAD application powershell or Graph API
- Accessing the Azure Graph API using Application Identity