Reputation: 937
Azure AD - Add app principal to a Group
I have an Azure AD app (AAD App1) which has user assignment enabled. So only, users from a particular group let's say "Group A" can access any resource (let's say an Azure Function API) protected by that Azure AD app.
Now I have another daemon Azure function job, which needs to make an authenticated call to the above mentioned Azure function API. Since this is a daemon job, I have generated another Azure AD app (AAD App2) for this.
Below is my code to get access tokens:
string resourceId = "id of app used to authenticate azure function"; // AAD app ID used by the Azure function for authentication
string clientId = "id of app registered for the daemon job";// AAD app ID of your console app
string clientSecret = "secret of app registered for the daemon job"; // Client secret of the AAD app registered for console app
string resourceUrl = "https://blahblah.azurewebsites.net/api/events";
string domain = "<mytenant>.onmicrosoft.com"; //Tenant domain
var accessToken = await TokenHelper.GetAppOnlyAccessToken(domain, resourceId, clientId, clientSecret);
Now when I try to generate access token to access the Azure function API, I get an invalid grant error as below:
AdalException: {"error":"invalid_grant","error_description":"AADSTS50105: Application '' is not assigned to a role for the application ''.\r\nTrace ID: 6df90cf440-c16d-480e-8daf-2349ddef3800\r\nCorrelation ID: 4c4bf7bf-2140-4e01-93e3-b85d1ddfc09d4d\r\nTimestamp: 2018-05-09 17:28:11Z","error_codes":[50105],"timestamp":"2018-05-09 17:28:11Z","trace_id":"690cf440-c16d-480e-8daf-2349ddef3800","correlation_id":"4c4bf7bf-2140-4e01-93ef3-b85d1dc09d4d"}: Unknown error
I am able to properly generate AAD access tokens if I disable the user assignment.
I am trying to avoid creating a service account here. Is there anyway I can add an app principal to an Azure AD group or add it as a member of another Azure AD app?
Upvotes: 1
Views: 3304
Answers (1)
Reputation: 9401
Unfortunately, you cannot add an AAD application/service principal as a member of Azure AD group.
I have confirmed this issue in My Answer for another similar question [EDIT - now seems to be possible, see said answer]
You can also upvote this idea in our Feedback Forum. Azure AD Team will review it.
Hope this helps!
Upvotes: 2
Related Questions
- Add AAD application as a member of a security group
- How to assign AAD Group to an Enterprise App?
- Azure Service Principal - permission to add members to an AD group
- Not able to make an Azure app as member of an Azure Group
- Assign AD Group to Azure AD Application Role using Graph API
- Add users/groups and roles to Azure AD native app
- Azure AD create user group for Application
- How can I set an AAD group as an owner on an AAD application?
- Assign nested group to role in Azure AD Applications Users and groups
- Azure AD - Assign Users and Groups to App