Skip to main content

App Role assignment to service principal --

 Using Ms Graph Rest API's

Permissions

One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission typePermissions (from least to most privileged)
Delegated (work or school account)AppRoleAssignment.ReadWrite.All and Application.Read.All, AppRoleAssignment.ReadWrite.All and Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All
Delegated (personal Microsoft account)Not supported.
ApplicationAppRoleAssignment.ReadWrite.All and Application.Read.All, AppRoleAssignment.ReadWrite.All and Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All

Create 2 app registrations.

App role owner will contain the app role that will be assigned to a service principal.

The  reader role in approleowner will be added to the approlesubscriber


Setup postman to use the Oauth auth flow to get a token for MS Graph.
ClientId:   Application (client) ID for approlesubscriber
Client Secret: secret for approlesubscriber
Scope: https://graph.microsoft.com/.default
Auth URL:  https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize
Access Token URL:  https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token


Assign the delegated permissions so that we can act on behalf of the logged in user. 

Add Role Assignment

URL : https://graph.microsoft.com/v1.0/servicePrincipals/{ResourceId}/appRoleAssignedTo

PrincipalId: Approlesubscribers enterprise apps object id (to whom we assign the role)

ResourceId: Approleowners enterprise apps object id (who has the app role)

AppRoleId: Id of the app role (shown in the below image)














Comments

Post a Comment

Popular posts from this blog

Azure AD Authentication And Authorization

ROLE BASED AUTHORIZATION Step1:   Setup  API. 1. Create an app registration and create an app role. Make sure that the app role is assigned to user and applications. We add it to both user groups and applications as this role can be then assigned to both users and applications. Scopes can only be assigned to apps. Now we can have only users with this role access our application. This app role behind the scenes adds an approles section to the manifest.json. We can directly add it to the manifest file also. Step 2:  Setup an app registration for the UI/ WEB App. . We will grant this app the read role created in the API app (shown above). Go to Azure AD and select the UI app registration. When we register an application 2 elements get created. 1. App registration  2. Enterprise Application -- service principal that get created for the app Adding roles to applications Go to the App registration => API Persmissions => Add a Permission => My API's The My Api's sec...
Post a Comment
Read more

Function APP and KV integration

 Create a function App and enable system assigned identity Create  a Keyvault and add a secret (Name in my case) Configure Access policies for the function app in keyvault Create an  access policy in Key Vault   for the application identity you created earlier. Enable the "Get" secret permission on this policy. Do not configure the "authorized application" or   applicationId   settings, as this is not compatible with a managed identity. https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references Key Vault references currently only support system-assigned managed identities. User-assigned identities cannot be used. We are granting our function app permissions to get and list all the secrets in this keyvault. Add Key Vault secrets reference in the Function App configuration Go to the keyvault and click on the secret we just created. Copy the secret identifier. We need to add this value to the function app configuration.  @Microsof...
Post a Comment
Read more

EF CORE 6

 Enumerating through the results 3. Everytime we enumerate thorugh the DBset inside a foreach loop, the connection to the database remains open. So doing a lot of work inside the loop will result in the database connection to stay open. So, it's better to run a ToList() and get the  results in memory before we start iterating through the results. SQL Injection If we hardcode the value for a parameter in the LINQ query then it will be hardcoded in the query as well, so try to use variables. Variables are converted to parameters and hence prevent SQL injection.   Partial Filtering We can have more control on the LIKE statement when using the Ef.Functions.Like method  var authorsNameEndWith = await context.Authors.Where(a => EF.Functions.Like(a.FirstName, "%a")).ToListAsync(); Find  Order By If we have multiple order by statements, then LINQ will ignore all but the last one. So, use the thenBy operator to add more orderby statements. Triggering the query ex...
Post a Comment
Read more