0

I'm using Microsoft Graph API to create an application making an HTTP request using the following documentation: https://learn.microsoft.com/en-us/graph/api/application-post-applications?view=graph-rest-1.0&tabs=http

Example: POST https://graph.microsoft.com/v1.0/applications Content-type: application/json

{
  "displayName": "MyAppName",
  "signInAudience": "AzureADMultipleOrgs"
}

But I need to add some API permissions (Microsoft Graph Application permissions) when creating the applications so I can do other operations like getting the Azure AD groups, modify them, create users, etc. Is there a way to add and grant the permissions programmatically as well without doing it through the portal?

Thank you.

Stephan
  • 2,356
  • 16
  • 38
daycg
  • 17
  • 6

2 Answers2

1

Microsoft Graph object ID

The first thing you'll need is the object ID of Microsoft Graph service principal in your tenant.

00000003-0000-0000-c000-000000000000 is the globally unique application ID for Microsoft Graph, which we can use to get the object ID by making a request like below.

GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appid eq '00000003-0000-0000-c000-000000000000'&$select=id,appid,appDisplayName

Example response

The object ID we need is the id in the response

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals(id,appId,appDisplayName)",
    "value": [
        {
            "id": "bd0a624d-11f8-44ab-a015-d8f276d75ad3",
            "appId": "00000003-0000-0000-c000-000000000000",
            "appDisplayName": "Microsoft Graph"
        }
    ]
}

References

Application IDs for commonly used Microsoft applications

Adding API Permissions

You can add the API permissions, which is separate from granting admin consent.

PATCH https://graph.microsoft.com/v1.0/applications/{application_id}

Headers

Key Value
Authorization Bearer {access token}
Content-Type application/json

Body

Key Value
resourceAppId The API resource to add permissions from, in this case 00000003-0000-0000-c000-000000000000 is for Microsoft Graph
resourceAccess Array of permissions containing the ID and type
id Use the globally unique ID of the permission want to add, which you can reference from All permissions and IDs
type For delegated permissions, use Scope. For application permissions, use Role

Example body

The below permissions are for User.Read (delegated), openid (delegated), and Directory.Read.All (application)

{
    "requiredResourceAccess": [
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
                    "type": "Scope"
                },
                {
                    "id": "37f7f235-527c-4136-accd-4a02d197296e",
                    "type": "Scope"
                },
                {
                    "id": "7ab1d382-f21e-4acd-a863-ba3e13f7da61",
                    "type": "Role"
                }
            ]
        }
    ]
}

References

Update application API endpoint

requiredResourceAccess resource type

resourceAccess resource type

Granting admin consent

Important to note that you can only grant admin consent with the API for delegated permissions. For application permissions, you'll need to use the Portal and click the button.

POST https://graph.microsoft.com/v1.0/oauth2PermissionGrants

Headers

Key Value
Authorization Bearer {access token}

Body

Key Value
clientId The Enterprise Application object ID for which you want to grant consent to
consentType Indicates if authorization is granted for the client application to impersonate all users or only a specific user. AllPrincipals indicates authorization to impersonate all users. Principal indicates authorization to impersonate a specific user. Consent on behalf of all users can be granted by an administrator. Non-admin users may be authorized to consent on behalf of themselves in some cases, for some delegated permissions. Required. Supports $filter (eq only).
resourceId Use the object ID we obtained earlier for the Microsoft Graph service principal
scope A space-separated list of the claim values for delegated permissions which you want to grant admin consent to

Example body

{
    "clientId": "7f244605-717f-408f-96fb-d369678cea56",
    "consentType": "AllPrincipals",
    "resourceId": "bd0a624d-11f8-44ab-a015-d8f276d75ad3",
    "scope": "openid User.Read"
}

References

Create oAuth2PermissionGrant API endpoint

oAuth2PermissionGrant resource type

scottwtang
  • 1,740
  • 2
  • 3
  • 13
0

Unless you’re creating more then 10 applications, I would just go through the portal.

  1. Creating secrets through the api is not very easy.
  2. The portal has wizards and explanations for most options

Granting permissions and creating applications can be done at the same time, you can also create the application and then have an admin do the admin consent.

Admin consent explained: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow#request-the-permissions-from-a-directory-admin

Stephan
  • 2,356
  • 16
  • 38
  • The problem is that the project I'm working on will be used by other companies and each one needs its own application, so indeed I'll be creating several of them and I won't have access to their directories, that's the reason everything needs to be done programmatically. – daycg Aug 03 '22 at 22:04
  • Are you running the application in your azure cloud or is the client running the application? In the first case you only need a single application and just ask the client to do admin consent. – Stephan Aug 03 '22 at 22:07