I created an app in AAD (App1).
I added app Roles to the manifest.
I created another app in AAD (App2) (same tenant)
I added API permissions to App2 for one of the roles configured in App1.
As the owner of App2, I can log in to the portal, and grant Admin consent for App2
I need to do all of the above via API calls, ideally without any human interaction. I can do Steps 1 - 4, and that is working perfectly via API calls.
Which API call do I use to grant admin consent (step 5). Note that I need to grant consent for an App Role, and NOT an OAuth scope. Also note that the App Role is NOT one from one of the standard Microsoft services (i.e., Graph)--it is for a custom role created in my own app.
Applications must use the admin consent endpoint to request Application Permissions, this must be done interactively. Take a look at Request the permissions from a directory admin.
Related
I have a Azure Active Directory application and I have provided some of the user delegated permissions for accessing Graph APIs. For example 'user.read' and 'user.read.all' etc.
To provide User Consent for the Graph APIs which have Delegated permission. I need to login using my credentials to the test application (I developed) and then there will be a Popup displayed on the Web UI with title "Permissions requested" to grand the consent. I need to select Accept button to grand the consent.
My questions:
Is there a way we can preauthorize the user consent without following Web UI flow?
Just like the admin consent in Active Directory, is there a way to grant user consent?
Yes, it is possible through MS Graph API.
When you grant user consent, an OAuth2PermissionGrant object is created.
Admin consent also creates one but in that one the principal is set to be "all users".
You can also create these programmatically.
You can see the docs for the API endpoint here.
It is created under the service principal of your app and you specify consentType as "Principal" and principalId as the user's objectId.
I think you may try to hit this url and signed in with the admin account, then you may consent on behalf of your organization. This url is used to get auth code for using auth code flow(generate access token)
https://login.microsoftonline.com/hanxia.onmicrosoft.com/oauth2/v2.0/authorize?
client_id=your_azure_ad_app_clientid
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost:8080%2F
&response_mode=query
&scope=user.read
&state=12345
TL;DR
To grant admin consent to a newly created single-tenant app I need to know its Service Principal Id. Is there a way of getting the Service Principal Id of a newly created app registration when it is not listed in the results from a call to the MS Graph API ServicePrincipals endpoint?
I am using the Microsoft Graph Beta SDK to add functionality that enables users of our application to create and maintain SDS Sync Profiles.
I have a multi-tenant app registration which, given user consent, enables me to create a single-tenant app registration in the user's tenant using the graphClient.Applications.Request().AddAsync({application}) method. The process I have works fine and the single-tenant app registration is created with the necessary permissions but these require admin consent. Currently I am sending users to the adminconsent endpoint: (https://login.microsoftonline.com/{tenantId}/adminconsent) where the user can grant the necessary permissions. This is also working fine but it requires the user to log in again, having already logged in once to grant consent to the multi-tenant app. This is clearly not great from a UX point of view so I would like to avoid the necessity of the user having to log in again if possible.
I came across this post: https://winsmarts.com/how-to-grant-admin-consent-to-an-api-programmatically-e32f4a100e9d which explains how to grant the admin consent programmatically . This involves creating an oAuth2PermissionGrant object with the scopes listed that admin consent is required for.
The issue I have is that in order to add the oAuth2PermissionGrant I need to know the Service Principal Id of the single-tenant app registration just created. However, when I make a call to the Graph API to list the Service Principals (graphClient.ServicePrincipals.Request().GetAsync()) the single tenant app registration is not listed, so I have no way of getting the Service Principal Id and thus cannot create the oAuth2PermissionGrant.
Once I grant admin consent to the permissions on the single-tenant app registration, either manually in Azure AD or via the adminconsent endpoint, the single-tenant app registration shows in the results from the call to ServicePrincipals endpoint.
Additionally, if I haven't granted admin consent, and just make a call to any Graph endpoint, and, when (having logged in again) the grant permissions page is shown, I don't tick the "consent for my organization" box, the permissions remain (as expected) in "require admin consent" status, however the single-tenant app registration now shows amongst the Service Principals list.
Sorry for the long question but any advice would be most appreciated.
Thanks
David.
However, when I make a call to the Graph API to list the Service Principals (graphClient.ServicePrincipals.Request().GetAsync()) the single tenant app registration is not listed, so I have no way of getting the Service Principal Id and thus cannot create the oAuth2PermissionGrant.
That's because a service principal is not created automatically when you create an application through the APIs or with PowerShell. Azure Portal creates it for you at the same time when using it for convenience, but the raw APIs don't do that. You need to create the service principal, the only mandatory parameter is the appId (your app id/client id) if I recall correctly. Here is the documentation page for that: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-post-serviceprincipals?view=graph-rest-1.0&tabs=http
Once the service principal has been created, you should be able to create the oauth2PermissionGrant objects that grant the permissions you want for all users in your directory.
i'm trying since 3 days to grant admin consent of application permissions in an azure b2c tenant for an enterprise application.
The App is registered in my main-tenant with all its delegated and application type permissions, which are granted tenant-wide. The main-tenant also has an entry in its enterprise applications where i can see the same permissions.
I dont know how to add the app in my side-tenant without publishing it to the MS store. So i simply login my app with a side-tenant-account. (I dont know if its the correct way?)
After the login i have an entry in my enterprise applications of my side-tenant, but without the permissions i need?
Now here is my question: How can i grant the permissions i need for all users in my side-tenant?
I already tried this Url: https://login.microsoftonline.com/{tenantID}/adminconsent?client_id={clientID}&scope=/.default&redirect_uri=xxx
For my main-tenant it works as expected, maybe because it has the application registration, which is missing in my side-tenant.
When i try it with my side-tenant, i'm getting this error:
Acess_denied: AADSTS650054 The application XXXX asked for permissions to access a resource that has been removed or is no longer available. Contact the app vendor.
What is likely happening here is that you have configured your app to request access to at least one API which has no representation in "side-tenant" (the API called "LegacyAPI", for example). That's why the error message mentions the "resource that has been removed or is no longer available".
For consent to succeed, all of the resource services (i.e. the APIs) the app is requesting access to must exist in the tenant where consent is being granted. (A service principal object needs to exist.)
You have two options here:
Grant consent to the missing resource services in "side-tenant" (e.g. via the admin consent URL)
Manually create a service principal for the missing resource service in "side-tenant" (e.g. New-AzureADServicePrincipal -AppId "{resource-app-id}")
Not related to your issue, but related to the admin consent URL:
For what you're trying to do, there are three ways to construct the admin consent URL, one using the older v1 endpoint, and two using the newer (recommended) v2 endpoint. In your admin consent URL, you are using the v1 endpoint, but you are including the scope parameter (which is only used in the v2 endpoint).
v2 (recommended)
For all permissions configured in the app registration, revoke any other permissions that were granted tenant-wide (static):
https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent
?client_id={client-id}
&scope=.default
&redirect_uri={redirect-url}
For the delegated permission User.Read for Microsoft Graph, don't revoke other permissions which were already granted tenant-wide (dynamic, incremental):
https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent
?client_id={client-id}
&scope=https://graph.microsoft.com/User.Read
&redirect_uri={redirect-url}
v1 (supported, not recommended)
For all permissions configured in the app registration, revoke any other permissions that were granted tenant-wide (static):
https://login.microsoftonline.com/{tenant-id}/adminconsent
?client_id={client-id}
&redirect_uri={redirect-url}
Reference: https://learn.microsoft.com/azure/active-directory/develop/v2-admin-consent
My AD tenant has user consent disabled, i.e., all permissions added to AD app registration need an admin consent.
For an application using static permissions/scopes (v1.0 OAuth/OpenId endpoint), is it possible to add new permissions such that until the admin consent is granted, users can continue using features which require only the existing consented scopes?
Microsoft docs say: "The app needs to know all of the resources it would ever access ahead of time. It was difficult to create apps that could access an arbitrary number of resources." Does it mean that for my scenario, all users need to wait for admin consent before they can access the app?
I receive the below error when a user tries logging in to the app using the Open ID Connect flow. For reference, my login URL is similar to https://login.microsoftonline.com/{tenant}/oauth2/authorize?response_type=id_token&client_id=b8ad6a99-cd23-40a6-a1b4-1184af990aa2&redirect_uri=https%3A%2F%2Flocalhost%2F&state=13ccfb84-cfd1-4cb0-bfe3-bb2c227e19f7&client-request-id=4d76947a-0000-48af-aeff-7bc2d5e40000&x-client-SKU=Js&x-client-Ver=1.0.17&nonce=ef1caa16-d3fe-4523-a9c9-000000000000
is it possible to add new permissions such that until the admin consent is granted, users can continue using features which require only the existing consented scopes?
Yes, you can.
When the admin consent the API permission of an AD App(App registration), the permissions essentially will be given to the service principal(Enterprise application) in your AAD tenant. Actually if you use the AD App in your tenant, the permissions are essentially from the service principal.
You could refer to the screenshot below, there are four permissions, the two permission has been granted.
Navigate to the Overview, click the option Manage application in local directory.
Then in the Permissions, you will find the two permissions which have been consent.
When you add the new scopes, the app will keep working, but it will only be able to access the old scopes until the admin consents to the new scopes.
Thanks!
Alex Simons
When registering a native application on the Azure AD 1.0 endpoint, and assigning Graph API permissions, it seems like consented permissions are 'cached' somewhere and can't be managed properly.
Example scenario:
Application registered and permission scopes (incl. ones requiring admin consent) assigned.
Administrator consents to the permission scopes
Simple user can use the app with consented permissions.
Permission scopes change (adding a new one for example)
Same admin doesn't get the consent form anymore
Simple user is stuck with "consent required, have an admin account?"
Another global admin must use the app for the first time to trigger the consent page.
Note that #7 doesn't always work; even if the other admin provides consent, simple users can't get through sometimes.
This is a multi-tenant application, yet when start using it in another tenant, I can not see its consented permissions in the AAD portal under enterprise applications.
Shouldn't permissions that have been consented to be listed in other tenants so that the admin can at least see what has been consented to?
Also, when I register an app on the V1.0 endpoint in my own tenant, I have an option to 'grant permissions' centrally, from the Azure AD portal for my tenant.
This option isn't available if I'm looking at an application that was registered in another tenant.
Am I overlooking something? Any help much appreciated.
When you change permissions, it does not automatically re-consent (for user or admin). You can find a detailed overview of this at Understanding user and admin consent.
You'll first need kick off the Admin Consent workflow. For a multi-tenant app this is done by adding prompt=admin_consent to your OAUTH URL and having an Admin authenticate.
Once that is done you can also force existing users to re-consent as well by adding prompt=consent to your Auth URL.