I am trying to grant admin consent to assigned permissions using Microsoft graph APIs. Steps i performed are as follows:
Create application having "appRoles" array defined.
create service principal with appId.
Grant an appRoleAssignment for a service principal. I ran http post request:
https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignedTo
- In Azure portal, instead of granting originally present permission, i see it is creating another permission and granting consent to it as displayed in the picture below.
Why it is not granting original permission, even though the 'appRoleId' is same? I want to grant original permission, can some one tell me? Thanks.
Of course, it will not grant the original permission, when you create an application and expose the API permission, this permission and the permission in
Exchange
are totally two different permissions from different APIs, no matter what theappRoleId
they used.To grant the
full_access_as_app
Application permission for your app, please follow the steps below.1.Navigate to your AD App in the portal ->
Manifest
->requiredResourceAccess
, get theresourceAppId
andid
, note theid
down asappRoleId
.2.Navigate to the
Azure Active Directory
in the portal ->Enterprise applications
-> search for theresourceAppId
got in step 1, then you will find theOffice 365 Exchange Online
-> click it ->Overview
-> get theObject ID
, note it down asresourceId
.Note: This
Object ID
is different in different AAD tenants.3.Navigate to your AD App -> click the
Managed application in local directory
, then get theObject ID
, note it down asprincipalId
.4.Then call the Microsoft Graph you used - Grant an appRoleAssignment for a service principal, use the values got before.
I test it in the Graph Explorer:
Check the result in the portal, it works fine.