Reputation: 9
API Permissions - Microsoft Graph API
I'm using Microsoft Graph API to create an application making an HTTP request using the following documentation: https://learn.microsoft.com/en-us/graph/api/application-post-applications?view=graph-rest-1.0&tabs=http
Example: POST https://graph.microsoft.com/v1.0/applications Content-type: application/json
{
"displayName": "MyAppName",
"signInAudience": "AzureADMultipleOrgs"
}
But I need to add some API permissions (Microsoft Graph Application permissions) when creating the applications so I can do other operations like getting the Azure AD groups, modify them, create users, etc. Is there a way to add and grant the permissions programmatically as well without doing it through the portal?
Thank you.
Upvotes: 0
Views: 1977
Answers (2)
Reputation: 2040
Microsoft Graph object ID
The first thing you'll need is the object ID of Microsoft Graph service principal in your tenant.
00000003-0000-0000-c000-000000000000 is the globally unique application ID for Microsoft Graph, which we can use to get the object ID by making a request like below.
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appid eq '00000003-0000-0000-c000-000000000000'&$select=id,appid,appDisplayName
Example response
The object ID we need is the id in the response
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals(id,appId,appDisplayName)",
"value": [
{
"id": "bd0a624d-11f8-44ab-a015-d8f276d75ad3",
"appId": "00000003-0000-0000-c000-000000000000",
"appDisplayName": "Microsoft Graph"
}
]
}
References
Application IDs for commonly used Microsoft applications
Adding API Permissions
You can add the API permissions, which is separate from granting admin consent.
PATCH https://graph.microsoft.com/v1.0/applications/{application_id}
Headers
| Key | Value |
|---|---|
| Authorization | Bearer {access token} |
| Content-Type | application/json |
Body
| Key | Value |
|---|---|
| resourceAppId | The API resource to add permissions from, in this case 00000003-0000-0000-c000-000000000000 is for Microsoft Graph |
| resourceAccess | Array of permissions containing the ID and type |
| id | Use the globally unique ID of the permission want to add, which you can reference from All permissions and IDs |
| type | For delegated permissions, use Scope. For application permissions, use Role |
Example body
The below permissions are for User.Read (delegated), openid (delegated), and Directory.Read.All (application)
{
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
},
{
"id": "37f7f235-527c-4136-accd-4a02d197296e",
"type": "Scope"
},
{
"id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
"type": "Role"
}
]
}
]
}
References
Update application API endpoint
requiredResourceAccess resource type
Granting admin consent
Important to note that you can only grant admin consent with the API for delegated permissions. For application permissions, you'll need to use the Portal and click the button.
POST https://graph.microsoft.com/v1.0/oauth2PermissionGrants
Headers
| Key | Value |
|---|---|
| Authorization | Bearer {access token} |
Body
| Key | Value |
|---|---|
| clientId | The Enterprise Application object ID for which you want to grant consent to |
| consentType | Indicates if authorization is granted for the client application to impersonate all users or only a specific user. AllPrincipals indicates authorization to impersonate all users. Principal indicates authorization to impersonate a specific user. Consent on behalf of all users can be granted by an administrator. Non-admin users may be authorized to consent on behalf of themselves in some cases, for some delegated permissions. Required. Supports $filter (eq only). |
| resourceId | Use the object ID we obtained earlier for the Microsoft Graph service principal |
| scope | A space-separated list of the claim values for delegated permissions which you want to grant admin consent to |
Example body
{
"clientId": "7f244605-717f-408f-96fb-d369678cea56",
"consentType": "AllPrincipals",
"resourceId": "bd0a624d-11f8-44ab-a015-d8f276d75ad3",
"scope": "openid User.Read"
}
References
Create oAuth2PermissionGrant API endpoint
oAuth2PermissionGrant resource type
Upvotes: 1
Reputation: 2580
Unless you’re creating more then 10 applications, I would just go through the portal.
- Creating secrets through the api is not very easy.
- The portal has wizards and explanations for most options
Granting permissions and creating applications can be done at the same time, you can also create the application and then have an admin do the admin consent.
Admin consent explained: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#request-the-permissions-from-a-directory-admin
Upvotes: 0
Related Questions
- MSI Permissions for Graph API
- Azure API permissions for Graph API
- API Permission Status not granted warning in Azure AD Application API Permission
- Trying to get an app permission for User creation of Graph api in azure active directory ,but failed in getting permissions
- How to add permissions to an App registration using graph API?
- Microsoft Graph Explorer App - Permissions issue
- Azure Active directory API permissions
- Proper apps permissions from azure AD to grant access on Microsoft Graph
- Not able to set Microsoft Graph permissions in Azure Active Directory App Registration
- AAD Graph API Permission Issues