I am trying to grant admin consent to assigned permissions using Microsoft graph APIs. Steps i performed are as follows:
Create application having "appRoles" array defined.
create service principal with appId.
Grant an appRoleAssignment for a service principal. I ran http post request:
https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignedTo
- In Azure portal, instead of granting originally present permission, i see it is creating another permission and granting consent to it as displayed in the picture below.
Why it is not granting original permission, even though the 'appRoleId' is same? I want to grant original permission, can some one tell me? Thanks.
Of course, it will not grant the original permission, when you create an application and expose the API permission, this permission and the permission in
Exchangeare totally two different permissions from different APIs, no matter what theappRoleIdthey used.To grant the
full_access_as_appApplication permission for your app, please follow the steps below.1.Navigate to your AD App in the portal ->
Manifest->requiredResourceAccess, get theresourceAppIdandid, note theiddown asappRoleId.2.Navigate to the
Azure Active Directoryin the portal ->Enterprise applications-> search for theresourceAppIdgot in step 1, then you will find theOffice 365 Exchange Online-> click it ->Overview-> get theObject ID, note it down asresourceId.Note: This
Object IDis different in different AAD tenants.3.Navigate to your AD App -> click the
Managed application in local directory, then get theObject ID, note it down asprincipalId.4.Then call the Microsoft Graph you used - Grant an appRoleAssignment for a service principal, use the values got before.
I test it in the Graph Explorer:
Check the result in the portal, it works fine.