Reputation: 515
Azure AD: how to setup custom permissions for app?
We have Azure AD app configured to access to multiple organization resources (hidden with mask) (custom resources, like Contoso Service). We would like to add one more resource to be part of this setup.
Can anyone please guide me or share link to documentation: how this custom permission should be configured to appear in the list in Azure AD configuration dashboard?
Upvotes: 2
Views: 654
Answers (1)
Reputation: 14336
When you go through the experience to add a new required permission, the portal is looking at all the ServicePrincipal objects in your Azure AD tenant. For each ServicePrincipal object, it then looks at the AppRoles and OAuth2Permissions attributes, to see if the application represented by that ServicePrincipal object is publishing any application permissions or delegated permissions, respectively.
So, in order to see a resource in the list of available resources (i.e. APIs), you first need to ensure there exists a ServicePrincipal object for that resource, in your Azure AD tenant (i.e. in the Azure AD tenant where you are creating the client app's app registration).
A ServicePrincipal object for an app will usually be created in your Azure AD tenant when you (or someone else in your tenant) signs in to and consents to the permissions being requested by the app. If the ServicePrincipal object doesn't exist in your tenant, you can create it manually by referencing the resource app's AppId.
With Azure AD PowerShell:
New-AzureADServicePrincipal -AppId "{app-id}"
With Azure CLI:
az ad sp create --id "{app-id}"
Directly with Azure AD Graph (e.g. with Azure AD Graph Explorer):
POST https://graph.windows.net/myorganization/servicePrincipals
{ "appId": "{app-id}" }
Directly with Microsoft Graph (beta) (e.g. with Microsoft Graph Explorer):
POST https://graph.microsoft.com/beta/servicePrincipals
{ "appId": "{app-id}" }
Once the ServicePrincipal object has been created in your tenant, if it publishes AppRoles or OAuth2Permissions, you should see it listed in the app registration experience, when choosing which permission your app requires.
Note 1: Some of the behavior described differs for ServicePrincipal objects referrencing Microsoft apps and service.
Note 2: Once a ServicePrincipal object exists in your Azure AD tenant, it is possible for whoever owns the backing app registration to authenticate (as the app) in your tenant and obtain an access token. This in itself does not grant the app access to anything (at least not for Microsoft services), but it is easier at this point for a user to accidentally (or intentionally) grant that app access to your organization's resources (e.g. in Azure, for example, the app will show up in the list of users, groups or apps which can be granted access to a subscription's resources).
Upvotes: 3
Related Questions
- Custom Application permissions and authorizations when Authenticating to Azure
- How to setup Azure AD App permission for downstream applications?
- Application-specific permissions with Azure AD RBAC
- How do I specify Permissions in a custom app consent policy?
- Add permissions to an Azure application by using the .net SDK
- Optional application permissions for Azure AD
- Azure AD OAuth2.0 Application Permissions
- Azure Ad Application Permission
- Is there a way to add custom permissions for web app user in azure active directory
- Configure Application Permissions in Azure AD