2

I am trying to create a "service principal" for application and to grant admin consent for the permissions using Microsoft graph API.

I followed the following steps:

  1. Created application in a tenant using graph API. My request body is:

    {
  "displayName": "AppWithPermissions",
  "requiredResourceAccess": [
    {
      "resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
      "resourceAccess": [
        {
          "id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
          "type": "Role"
        }
      ]
    }
  ]
}

  2. Created a service principal for the above-created application. The creation was successful.

  3. Now, I want to grant admin consent to each assigned permission programmatically using graph API.

  4. To grant application permissions, I created an app role assignment in the appRoleAssignedTo collection of the API's service principal: The request was as follows:

    Post request:

    https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignedTo

    Request body:

    {
    "principalId": "principal_id",
    "resourceId": "resource_id",
    "appRoleId": "approle_id"
}

Here,

  1. "principal_id" is the "id" of service principal created in step 2 above.
  2. "approle_id" is the id of the appRole you want to grant. (taken "id" value from "resourceAccess" array present in "requiredResourceAccess")
  3. "id" in http request url and "resource_id" are the same. (taken "resourceAppId" value from "requiredResourceAccess" which is corresponds to "approle_id" given above)

After running the query, I am getting error 404. "code": "Request_ResourceNotFound" for the "resource_id"/"id" field.

  • Adding screenshots for better understandings:
  1. App Creation:

enter image description here

  1. service principal creation:

enter image description here

  1. Grant an appRoleAssignment for a service principal:

enter image description here

I am confused about which IDs to use where and didn't get a clear idea from the documentations. Can any one please resolve my query? Thanks in advance.

Pooja_2304
  • 53
  • 6

2 Answers2

2

It looks like you're using the appId instead of the id value.

In an app role assignment, resourceId is the id of the servicePrincipal for the resource app (in your case, the API). In an application object's requiredResourceAccess, you use appId, which is a different value.

To find the id of a service principal for which you know the appId:

GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '{app-id}'

The response will contain the id property of the servicePrincipal object, and you can use that when creating the app role assignment.

Philippe Signoret
  • 13,299
  • 1
  • 40
  • 58
  • Thanks Philippe. Let me clear my understanding, {resourceId}, {principalId} are same as the id property of the servicePrincipal object. But i still did not get what should be value of {appRoleId}? In my reponse of servicePrincipal object, 'appRoles' array is NULL. It is not related to values present in 'requiredResourceAccess' array? – Pooja_2304 Oct 13 '20 at 04:04
  • If you retrieve the `servicePrincipal` for the API (e.g.`GET .../servicePrincipals?$filter=appId eq '00000003-0000-0000-c000-000000000000'`) the result will have an `appRoles` property which will have all the app roles defined for that API. However, in your case, you seem to already know the {appRoleId} values (e.g. 5b567255-7703-4780-807c-7be8301ae99b, 75359482-378d-4052-8f01-80520e7db3cd, etc.), so you can just use that directly. – Philippe Signoret Oct 13 '20 at 08:09
  • I cannot use those values (e.g. 5b567255-7703-4780-807c-7be8301ae99b, 75359482-378d-4052-8f01-80520e7db3cd, etc.) for {appRoleId}. I am getting this error: "message": "Permission being assigned was not found on application". We need to define "appRoles" array for application while creating. – Pooja_2304 Oct 13 '20 at 09:35
  • Can you update your question to include the query you are making to create the app role assignment (include the body)? – Philippe Signoret Oct 13 '20 at 09:42
  • i have updated my question with the steps and screenshot. Please refer them. – Pooja_2304 Oct 13 '20 at 10:04
  • You are using the same value for `principalId` and resourceId`. To find `resourceId`, you need to look up the `id` of the servicePrincipal which has `appId` `00000002-0000-0ff1-ce00-000000000000`. My answer here shows you how to do that. That's the value you need to use as `resourceId`. – Philippe Signoret Oct 13 '20 at 22:39
-2

The document description is not very clear.

In simple terms:

principalId: Usually your service principal id.

resourceId: Usually your service principal id.

appRoleId: For appRoleId you can find it by requesting GET https://graph.microsoft.com/v1.0/servicePrincipals/{id}. enter image description here

Grant an appRoleAssignment for a service principal: enter image description here

Carl Zhao
  • 8,543
  • 2
  • 11
  • 19
  • Thank you Carl for your response. In my case "appRoles": [] array is NULL. Did you performed any extra step while creating service principal? I have one more query: we don't fetch "appRoleId" from "requiredResourceAccess" array elements? – Pooja_2304 Oct 12 '20 at 11:13
  • @PoojaDabhade You can find it in the application manifest, go to Azure ad> App registrations>your app>Manifest see:https://i.stack.imgur.com/UH4el.png – Carl Zhao Oct 13 '20 at 09:26
  • I also did the same thing, but getting error as shown in screenshots attached: https://drive.google.com/file/d/19Umn69TJRbIVTfw1wWdfGYx43Sq_0ImY/view?usp=sharing and https://drive.google.com/file/d/1hyDMLogihroII0N1LlezHn1g-yHl7oA0/view?usp=sharing – Pooja_2304 Oct 13 '20 at 09:48
  • @PoojaDabhade Try to use a custom appRoleId https://i.stack.imgur.com/yGIzl.png, you can customize the appRoles by customizing the manifest in AD, go to Azure ad>App registrations>your app>Manifest to find appRoles and customize it,see:https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#examples – Carl Zhao Oct 13 '20 at 10:03
  • i tried that too. But now facing another issue as mentioned here: https://stackoverflow.com/questions/64330114/azure-service-principal-grant-an-approleassignment-for-a-service-principal-does – Pooja_2304 Oct 13 '20 at 11:08