AOBO Admin-On-Behalf-Of flow rest api

Giovanni Toraldo 6 Reputation points
2020-03-03T16:18:29.053+00:00

Anyone have a coed example for the AOBO flow?
What I'm trying to achieve is to manage the resources inside the customer azure subscription as admin.

So, I need a rest api flow where I ask to the user a token that authorize the admin to access to the resources inside his azure tenant, purchased on csp.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,088 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Giovanni Toraldo 6 Reputation points
    2020-03-04T08:59:01.237+00:00

    It sounds like you want to ask the user to login, and then that requires the admin to grant admin consent to access the resource

    Nope, as admin, I would like to ask the permissions to my users to manage their azure resources.
    I would like, as administrator, as admin agent user, provision resources inside my customers azure subscriptions.
    It is already possible to do that using the web interface, but i cannot figure out how to using the api rest.

    1 person found this answer helpful.
    0 comments No comments

  2. FrankHu-MSFT 976 Reputation points
    2020-03-03T18:51:40.753+00:00

    @Giovanni Toraldo can you clarify what you mean in regards to the flow? I'm not sure I understand. It sounds like you want to ask the user to login, and then that requires the admin to grant admin consent to access the resource.

    Which should just be an authorization flow with permissions that require admin consent. You will need to disable user consent per the docs below.

    Please see here for more information on that:
    https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent
    https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow
    https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
    https://joonasw.net/view/defining-permissions-and-roles-in-aad

    Specifically from the last link note :

    "type": "User" means this permission can be granted by a non-admin user.
    Use "type": "Admin" if you want it to be grantable by admin only

    0 comments No comments