Share via

Unable to give Admin Consent and Application Permissions through programmatically

Jeeva R P 0 Reputation points
2024-01-16T10:13:40.5733333+00:00

Introduction: Hello Team,

I am build a Console application for track the Microsoft Entra ID (Azure Active Dir) audit logs.

Need to get audit logs of all users , so we can track if they made changes in user credentials.
For that I need to add permission Auditlog.read.all and give grant permission. Not able to give grant consent on my code.

I've encountered some challenges while working with Microsoft Graph API, particularly related to granting admin consent programmatically and managing application permissions. I'm seeking insights and assistance on the following matters: Question 1: Significance and Programmatic Granting of Admin Consent I am curious about the significance of admin consent and would like to understand how it can be granted programmatically for application permissions. Are there any examples illustrating the process, especially for permissions like "Audit Log Read All" through Microsoft Graph API?

Question 2: Custom App Roles with Specific Permissions I am exploring the option of creating a custom app role with a specific permission, such as "Audit Log Read All," and assigning it a unique ID. Is this approach feasible, and are there any examples or guidelines for achieving this through Microsoft Graph API? Question 3: Admin Consent for Application API Permissions without User Login I have a scenario where I need to grant admin consent for application API permissions without requiring user login. Is this feasible, and if so, what approach should I follow for this requirement? Your guidance and insights on these questions would be immensely helpful. Thank you,

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Danstan Onyango 3,996 Reputation points Microsoft Employee
    2024-01-22T09:53:36.1766667+00:00
    1. Significance of Admin Consent and How to do it:
      Admin consent is a feature that protects the tenant resources from access without admins approval. Not all permissions require admin consent but those that do are critical like Directory.ReadWrite.All which literally gives a user or an app the poewer to change any Entra resources. Pease see here on how to implement admin consent in a signing flow programmatically.
    2. Request Resource Not Found
      The "Request Resource Not Found" error in Postman can be caused by a number of issues, including incorrect URL formatting, incorrect authentication credentials, and insufficient permissions. To troubleshoot this issue, you can check the following:
      • Ensure that the URL is correct and matches the resource you are trying to access.
      • Check the authentication credentials you are using to ensure they are correct and have the appropriate permissions.
      • Check the permissions of the user or application you are authenticating as to ensure that they have access to the resource you are trying to access.
    3. Custom App Roles with Specific Permissions
      See
      Add app roles to your application and receive them in the token
      Grant an appRoleAssignment to a service principal
    4. Admin Consent for Application API Permissions without User Login
      Yes, you can do this on Entra Portal application blade by
      Going to the application,
      then under API Permissions, select add permissions.
      Search for Microsoft Graph API then select application permissions.
      Add the permission you need and grant admin consent. If you are not an admin then you can ask an admin to do the same.
      See screenshot
      admin-consent

    Was this answer helpful?

    1 person found this answer helpful.
  2. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,546 Reputation points Moderator
    2024-01-30T05:10:35.0266667+00:00

    Hello @Jeeva R P , my understanding is that you want to consent permissions for a multi-tenant application in different tenants without being prompted for consent. This can be achieved trough Microsoft Graph. Take a look at Grant tenant-wide admin consent to an application. AuditLog.Read.All as resourceId is e4c9e354-4dc5-45b8-9e7c-e1393b0b1a20 and as appRoleId is b0afded3-3588-46d8-8b3d-9842eff778da.

    Keep in mind you will have to authenticate with an admin principal (user or service) to each resource tenant where you want need to do updates. If you don't want any interactivity during login you can opt for the OAuth 2.0 Resource Owner Password Credentials flow (not recommended) or OAuth 2.0 client credentials flow.

    Let me know if you need samples for a specific programming language or platform.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.