Reputation: 294
how to set User administrator role to azure active directory application through graph API
I want to delete a user from azure AD B2C using graph API. I register a new application for this purpose to get permission for graph API. Create app
- Then i create a service principle for application using below link Create Service principle
- next step is user role assignment to application.I want to set user administer role to application
POST https://graph.microsoft.com/v1.0/servicePrincipals/{resource-id}/appRoleAssignedTo { "principalId": "{principal-id}", "resourceId": "{resource-id}", "appRoleId": "{app-role-id}" }
i got the service principle id from service principle object @odata.context :
https://graph.microsoft.com/v1.0/$metadata#servicePrincipals/$entity
id : xxxxxxxxxxxxxxxxxxxxxxxxx
deletedDateTime :
accountEnabled : True
alternativeNames : {}
appDisplayName : xxx
appDescription :
appId : xxxxxxxxxx
applicationTemplateId :
appOwnerOrganizationId : xxxxxxxxxxxxxxxx
appRoleAssignmentRequired : False
createdDateTime :
description :
displayName : xxxx
homepage :
loginUrl :
logoutUrl :
notes :
notificationEmailAddresses : {}
preferredSingleSignOnMode :
preferredTokenSigningKeyThumbprint :
replyUrls : {}
resourceSpecificApplicationPermissions : {}
samlSingleSignOnSettings :
servicePrincipalNames : {cxxxxx}
servicePrincipalType : Application
signInAudience : AzureADMyOrg
tags : {}
tokenEncryptionKeyId :
verifiedPublisher : @{displayName=; verifiedPublisherId=; addedDateTime=}
addIns : {}
appRoles : {}
info : @{logoUrl=; marketingUrl=; privacyStatementUrl=; supportUrl=; termsOfServiceUrl=}
keyCredentials : {}
oauth2PermissionScopes : {}
passwordCredentials : {}
i assumed principalId is id of the object and resource id is same. Then how do i get the appRoleId
Upvotes: 0
Views: 479
Answers (2)
Reputation: 130
You want to grant the role User.ReadWrite.All to allow deleting users from Azure AD. As per documentation this will require admin consent.
Using the endpoint https://graph.microsoft.com/v1.0/applications with this payload will create an app registration, with the proper role:
{
"displayName": "My App",
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "741f803b-c850-494e-b5df-cde7c675a1ca",
"type": "Role"
}
]
}
]
}
The endpoint is documented here
Upvotes: 1
Reputation: 58723
User Administrator is a directory role, not an app role. You need to use this endpoint in MS Graph: https://learn.microsoft.com/en-us/graph/api/directoryrole-post-members?view=graph-rest-1.0&tabs=http.
It requires that you do an HTTP POST request to https://graph.microsoft.com/v1.0/directoryRoles/{id}/members/$ref.
Request body example from docs:
{
"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{user-id}"
}
If you are looking to assign this directory role to the service principal, I'm pretty sure you can set the service principal object id in the body instead of a user id.
You may need to find out the User Administrator role's id first from https://learn.microsoft.com/en-us/graph/api/directoryrole-list?view=graph-rest-1.0&tabs=http.
Upvotes: 1
Related Questions
- create a application role using Microsoft Graph API
- Add Role to Existing User in Azure AD B2C using Graph SDK
- How to use appRoleAssignment in Graph Api
- How to use microsoft graph api for assigning role to the user in azure ad
- Assign AAD administrative roles to AAD group
- Assigning application roles to user with MicrosoftGraph API fails
- Assign AD Group to Azure AD Application Role using Graph API
- How to create Global Administrator user using Azure Active Directory B2C GraphServiceClient?
- How to get AppRole for azure active directory user using Microsoft Graph API
- How to assign user an application role in azure active directory using graph api 1.5?