How to create a API scope using Azure AD Graph API

Question

I'm trying to use the Azure AD Graph API to create an API Scope for an Azure AD B2C application. This is the operation performed using the "Expose an API" blade in the portal.

I've tried adding the scope directly to the application like so:

var current = await graphClient.Applications[appId].Request().GetAsync();
var currentList = current.Api.Oauth2PermissionScopes ?? new List<PermissionScope>();
var newScope = new PermissionScope
{
    AdminConsentDescription = scopeDescription,
    AdminConsentDisplayName = scopeDescription,
    IsEnabled = true,
    Type = "Admin",
    Value = scopeName
};
var updated = new Application { 
    Api = new ApiApplication { 
        Oauth2PermissionScopes = currentList.Append(newScope).ToList() 
    } 
};
await graphClient.Applications[appId].Request().UpdateAsync(updated);

However, when I do that, I get an exception:

Microsoft.Graph.ServiceException
Code: ValueRequired
Message: Property api.oauth2PermissionScopes.id value is required but is empty or missing.

Does this mean that I need to create the scope separately then add it to the application? Looking over the Graph API docs, it isn't obvious how to do that and I haven't found any articles that discuss it, either.

How do you use Graph API to create API scopes?

Answer 1

if you want to use the Microsoft Graph API to create an API Scope for an Azure AD B2C application, we need to define PermissionScope object. The object should provide id(it is GUID).

For example

1. Register Application

2. Grant API permissions

   • Under Manage, select API permissions.
   • Under Configured permissions, select Add a permission.
   • Select the Microsoft APIs tab, then select Microsoft Graph.
   • Select Application permissions.
   • Select the checkbox of the permission Application.ReadWrite.All to grant to your application.
   • Select Add permissions. As directed, wait a few minutes before proceeding to the next step.
   • Select Grant admin consent for (your tenant name).

3. Create a client secret

4. code

 static async Task Main(string[] args)
        {
            string clientId = "0159ec7d-f99f-***";
            string clientSecret = "G_fM3QKa***essTRX23t1_o";
            string tenantDomain = "{your tenat name}.onmicrosoft.com";

            IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder
                        .Create(clientId)
                        .WithTenantId(tenantDomain)
                        .WithClientSecret(clientSecret)
                        .Build();

            ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);

            GraphServiceClient graphClient = new GraphServiceClient(authProvider);
            var id = "fa89ac50-d5fd-47cb-9f3f-833f413a2ed4";
            var app =await graphClient.Applications[id].Request().GetAsync();
            var updated = new Application();
            if (app.IdentifierUris.ToList().Count == 0) {
                updated.IdentifierUris = new string[] { $"https://{tenantDomain}/{app.AppId}" };
            }

            var appscope = app.Api.Oauth2PermissionScopes.ToList();
            var newScope = new PermissionScope
            {
                Id = Guid.NewGuid(),
                AdminConsentDescription = "Allow the application to have read-only access to all Employee data",
                AdminConsentDisplayName = "Read-only access to Employee records",
                IsEnabled = true,
                Type = "Admin",
                Value = "Employees.Read.All"
            };
            appscope.Add(newScope);
            updated.Api = new ApiApplication { Oauth2PermissionScopes =appscope };
            await graphClient.Applications[id].Request().UpdateAsync(updated);


        }

For more details, please refer to here.