How to match AppRoleAssignments with applications in "Graph explorer API"

Question

How to match https://graph.microsoft.com/beta/me/appRoleAssignments with https://graph.microsoft.com/beta/applications.

Which ID should be matched?

How to compare these two JSON code -

   {
        "id": "cLsrKP9FQU-3yUaE6gaYwgT2qe43q4pAqMb4Kr9Cdp4",
        "creationTimestamp": "2019-04-08T06:17:53.349594Z",
        "appRoleId": "00000000-0000-0000-0000-000000000000",
        "principalDisplayName": "<User Name>",
        "principalId": "282bbb70-45ff-4f41-b7c9-4684ea0698c2",
        "principalType": "User",
        "resourceDisplayName": "Postman",
        "resourceId": "d24064b4-1ee0-4507-a220-6faab7ba3fe0"
    },

With

    {
        "id": "b5bb2bb9-bb5e-426a-a107-d2212020f614",
        "deletedDateTime": null,
        "isFallbackPublicClient": false,
        "appId": "c21feb4a-040e-4067-8c14-55b1e015fc17",
        "applicationTemplateId": null,
        "identifierUris": [
            "https://<OrgName>.onmicrosoft.com/5d959b28-00fd-4f67-8d14-1a6276919b28"
        ],
        "createdDateTime": "2019-02-27T07:33:40Z",
        "displayName": "Postman",
        "isDeviceOnlyAuthSupported": null,
        "groupMembershipClaims": null,
        "optionalClaims": null,
        "orgRestrictions": [],
        "publisherDomain": "<OrgName>.onmicrosoft.com",
        "signInAudience": "AzureADMyOrg",
        "tags": [],
        "tokenEncryptionKeyId": null,
        "api": {
            "requestedAccessTokenVersion": null,
            "acceptMappedClaims": null,
            "knownClientApplications": [],
            "oauth2PermissionScopes": [
                {
                    "adminConsentDescription": "Allow the application to access Postman on behalf of the signed-in user.",
                    "adminConsentDisplayName": "Access Postman",
                    "id": "2e9e3ada-8570-4e8a-b02b-f0822f4fd63c",
                    "isEnabled": true,
                    "type": "User",
                    "userConsentDescription": "Allow the application to access Postman on your behalf.",
                    "userConsentDisplayName": "Access Postman",
                    "value": "user_impersonation"
                }
            ],
            "preAuthorizedApplications": []
        },

I want to filter out the apps assigned to me from the master list of applications. Which ID should be matched?

Edited-

I am getting 403 error while calling this API through Web-Part - https://graph.microsoft.com/beta/applications

private _getListApplications(param): Promise<any> {
return this.context.aadHttpClientFactory
  .getClient('https://graph.microsoft.com')
  .then((client: AadHttpClient) => {
    return client
      .get("https://graph.microsoft.com/beta/applications", AadHttpClient.configurations.v1);
  }).
  then((responseListAllApps: SPHttpClientResponse) => {
    return responseListAllApps.json();
  });

}

{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "a0cae64d-ae22-47a3-a765-3abe2b1c34a1",
"date": "2019-04-08T09:23:25"
}
}
}

Could you include more details in your question? Actually what do you want to do? — Joy Wang, Apr 08 '19 at 07:17
@JoyWang I want to filter out the apps assigned to me from the master list of applications. — , Apr 08 '19 at 07:21
Do you have the `Directory.Read.All` permission? see : https://learn.microsoft.com/en-us/graph/api/application-list?view=graph-rest-beta#permissions — Joy Wang, Apr 08 '19 at 09:38
Hello @JoyWang, thanks for the quick response, I have another question which I have edited in my previous question. please help. — , Apr 08 '19 at 09:40
The error means you do not have the permission to call the api, make sure you have the permisssion, see : https://learn.microsoft.com/en-us/graph/api/application-list?view=graph-rest-beta#permissions — Joy Wang, Apr 08 '19 at 09:43
@JoyWang, Is this correct way for adding multiple scopes - "webApiPermissionRequests": [ { "resource": "Microsoft Graph", "scope": "Application.ReadWrite.All", "Directory.Read.All" } ] — , Apr 08 '19 at 09:50
I am not familiar with c#, if you call the api with an AD App, go to the Azure AD in the portal, in your app -> Settings->Required permissions->add the Microsoft Graph API with the permissions you want -> click the `Grant permissions` button. Then your app will be able to call the MS graph api. Make sure your user account is a global admin of your tenant, otherwise you could not grant the permission. — Joy Wang, Apr 08 '19 at 09:56
@JoyWang I have marked it as an answer, can you please help me while I am getting this error in API Management when I approve the request. [HTTP]:400 - [CorrelationId]:25ead09e-2016-0000-22ca-2805e5e18a16 [Version]:16.0.0.8727 - An OAuth permission with the scope Application.ReadWrite.All could not be found. Parameter name: scope — , Apr 08 '19 at 10:23
For the error of your code, I recommend you to ask it in a new question, I am not familiar with c#. If you have done the steps above, the permissions of your app should be right. — Joy Wang, Apr 08 '19 at 10:41

Joy Wang · Accepted Answer · 2019-04-08T08:15:05.710

No, there is no ID matched directly, you could not do that via these two APIs. You need to use GET https://graph.microsoft.com/beta/servicePrincipals/xxxxxxxxx as a medium.

First, call GET https://graph.microsoft.com/beta/me/appRoleAssignments, copy the resourceId in the response, it is the object id of the target resource (service principal) for which the assignment was made. Then call GET https://graph.microsoft.com/beta/servicePrincipals/<resourceId>, the appId in the response is the application id of the AD App. Then call GET https://graph.microsoft.com/beta/applications, the appId in the response is the same with the appId retuned by GET https://graph.microsoft.com/beta/servicePrincipals/<resourceId>. Then you can match them.

For more details about the properties, see these three links:

Can you please help on this issue, please go through this URL: https://stackoverflow.com/questions/56559338/why-i-am-not-able-to-authenticate-with-microsoft-graph-explorer-through-sharepoi — Chirag, Jun 12 '19 at 11:57

How to match AppRoleAssignments with applications in "Graph explorer API"

1 Answers1