1

I have developed a domain-based modeling tool and code-generator that provides the ability to capture domain models per DDD and automatically generates ASP.Net Web API microservices.

I also created an Azure B2C CLI tool that uses MS Graph API to programmatically generate an Azure B2C AD Application for each Web ASP.NET Web API of which includes all possible scopes that are applied to protect some of the generated Web API operations.

As some of these generated API services often interact with other generated services via REST and/or gRPC, the Azure B2C CLI tool also adds the list of dependent API permissions that would be required by each Web API in order to integrate with the other Web API.

My Azure B2C CLI tool works great and is creating/updating the underlying Azure B2C Web/API application per each domain service within the Home Tenant along with the necessary Service Principal.

Currently I still need to log into the Azure Portal in order to grant the API permissions per each B2C Application.

My Question is : Is it possible to automate the granting of the API Permissions using the B2C Application that I am using to create these same B2C Web/API applications ?

It seems like this should be possible as the Azure B2C CLI tool's B2C Application is the owner of these created Apps.

To help illustrate and support my question I have included some screen shots below.

To begin, the following image shows the permission set that my Azure B2C CLI tool runs under in order to create the other B2C applications for each Web API via MS Graph API.

enter image description here

On each pass, the Azure B2C CLI tool processes a particular domain model to understand the definition for each domain service within that model and will automatically create a series of B2C applications within Azure B2C per each service in a particular domain model.

The following domain model has 4 domain services which results with 4 B2C Apps being generated by my Azure B2C CLI tool as illustrated below ..

enter image description here

The Azure B2C CLI tool creates as many permission scope items per API operation and adds that to the underlying API OAuthPermissionScopes. Here is a few examples of generated permission scopes services for "WorkSpace" and "SharedServices" Web API's...

enter image description here

enter image description here

The Azure B2C CLI also adds any API permissions to each generated B2C API Application. The following example shows that "CoreServices" API requires permissions from both the "SharedServices" App API and the "WorkSpace" App API

enter image description here

Once that is completed I can log into the Azure Portal and Grant these permissions, manually, per each API.

enter image description here

Instead of granting these manually I would like to programmatically grant these permissions via MS Graph within the Azure B2C CLI tool I've created.

The code-generator domain modeling tool will be producing 100's upon 100's of services so I want to automate securing the generated domain services as much as possible, including granting of API permissions.

What is the MS Graph API to allow me to fully automate this process within my Azure B2C CLI tool?

John Kears
  • 677
  • 6
  • 20

1 Answers1

3

Microsoft Graph doesn't support the "grant admin consent" feature currently.

AAD Graph has an endpoint https://graph.windows.net/myorganization/consentToApp?api-version=2.0 which is used to grant admin consent but it is only available within Microsoft. Calling this endpoint from outside will get this error.

You could consider using Azure CLI cmd az ad app permission grant or az ad app permission admin-consent --id $appid. See reference here.

There is a difference between the 2 cmds. You can find more details from my previous answer.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20
  • The az cmd approach still requires an az login by an admin so essentially would not address the need to fully automate this process. I run my B2C CLI via a GitHub Action that executes post the commit of the repo which holds the generated code and domain model. This all runs on a self-hosted server with the intent to fully automate both the code generation as well as B2C configuration. I suppose if I could run the self-hosted process as an admin then it may be possible to programmatically run the az cmd approach. I do not know if that is possible. nor how to do that. – John Kears Nov 25 '20 at 11:47
  • 2
    You can log into Azure non-interactively using a service principal. Just make sure the service principal has permission to grant admin consent. az login --service-principal -u -p --tenant If you're logging into B2C, use the --allow-no-subscriptions flag in addition to the tenant flag or you will receive an error since B2C doesn't have subscriptions. https://lnx.azurewebsites.net/non-interactive-login-in-azure-cli-2-0/ https://learn.microsoft.com/en-us/cli/azure/authenticate-azure-cli – Scott McNeany Nov 25 '20 at 14:08
  • @JohnKears Have you looked into the suggestion of @ScottMcNeany? Using a service principal to sign in. – Allen Wu Nov 26 '20 at 01:12
  • @Allen Wu... I just read through that link you provided. It appears that we can login to Azure using a service principal via this CLI az login --service-principal -u -p --tenant (as per Scott's blog) .. I will try this with the AD App that I use to create the API permission set. Thanks for letting me know. – John Kears Nov 27 '20 at 02:05