Skip to main content

App Role assignment to service principal --

 Using Ms Graph Rest API's

Permissions

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission typePermissions (from least to most privileged)
Delegated (work or school account)AppRoleAssignment.ReadWrite.All and Application.Read.All, AppRoleAssignment.ReadWrite.All and Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account)Not supported.
ApplicationAppRoleAssignment.ReadWrite.All and Application.Read.All, AppRoleAssignment.ReadWrite.All and Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All

Create 2 app registrations.

App role owner will contain the app role that will be assigned to a service principal.

The  reader role in approleowner will be added to the approlesubscriber


Setup postman to use the Oauth auth flow to get a token for MS Graph.
ClientId:   Application (client) ID for approlesubscriber
Client Secret: secret for approlesubscriber
Scope: https://graph.microsoft.com/.default
Auth URL:  https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize
Access Token URL:  https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token


Assign the delegated permissions so that we can act on behalf of the logged in user. 

Add Role Assignment

URL : https://graph.microsoft.com/v1.0/servicePrincipals/{ResourceId}/appRoleAssignedTo

PrincipalId: Approlesubscribers enterprise apps object id (to whom we assign the role)

ResourceId: Approleowners enterprise apps object id (who has the app role)

AppRoleId: Id of the app role (shown in the below image)














Comments

Post a Comment

Popular posts from this blog

ASp.net core 3.1 identity

It is just an extension to cookie authentication. We get a UI, Tables, helper classes, two factor authentication etc. Even EF and its database constructs. So instead of writing code for all of this we can just use these in built features. Extending Default Identity Classes Add a class that inherits from    public class AppUser : IdentityUser     {         public string Behavior { get; set; }     } Also change the user type in login partial.cs under shared folder Then add migrations and update db using migrations. We can customize further.  services.AddDefaultIdentity<AppUser>(options =>              {                 options.SignIn.RequireConfirmedAccount = true;                 options.Password.RequireDigit = false;           ...
2 comments
Read more

Get user groups

 string[] scopes = new string[] { "https://graph.microsoft.com/.default" };             string clientId = "";             string tenantId = "";             string secret = "";                        var options = new TokenCredentialOptions             {                 AuthorityHost = AzureAuthorityHosts.AzurePublicCloud             };             // https://learn.microsoft.com/dotnet/api/azure.identity.clientsecretcredential             try             {                 var clientSecretCredential = new ClientSecretCredential(                        ...
Post a Comment
Read more