I am trying to grant admin consent to assigned permissions using Microsoft graph APIs. Steps i performed are as follows:

  1. Create application having "appRoles" array defined.

  2. create service principal with appId.

  3. Grant an appRoleAssignment for a service principal. I ran http post request:

https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignedTo

  1. In Azure portal, instead of granting originally present permission, i see it is creating another permission and granting consent to it as displayed in the picture below.

enter image description here

Why it is not granting original permission, even though the 'appRoleId' is same? I want to grant original permission, can some one tell me? Thanks.

1

There are 1 answers

5
Joy Wang On BEST ANSWER

Of course, it will not grant the original permission, when you create an application and expose the API permission, this permission and the permission in Exchange are totally two different permissions from different APIs, no matter what the appRoleId they used.

To grant the full_access_as_app Application permission for your app, please follow the steps below.

1.Navigate to your AD App in the portal -> Manifest -> requiredResourceAccess, get the resourceAppId and id, note the id down as appRoleId.

enter image description here

2.Navigate to the Azure Active Directory in the portal -> Enterprise applications -> search for the resourceAppId got in step 1, then you will find the Office 365 Exchange Online -> click it -> Overview-> get the Object ID, note it down as resourceId.

Note: This Object ID is different in different AAD tenants.

enter image description here

3.Navigate to your AD App -> click the Managed application in local directory, then get the Object ID, note it down as principalId.

enter image description here

enter image description here

4.Then call the Microsoft Graph you used - Grant an appRoleAssignment for a service principal, use the values got before.

POST https://graph.microsoft.com/v1.0/servicePrincipals/<resourceId>/appRoleAssignedTo

{
  "principalId": "<principalId>",
  "resourceId": "<resourceId>",
  "appRoleId": "<appRoleId>"
}

I test it in the Graph Explorer:

enter image description here

Check the result in the portal, it works fine.

enter image description here