AOBO Admin-On-Behalf-Of flow rest api

Question

Anyone have a coed example for the AOBO flow?
What I'm trying to achieve is to manage the resources inside the customer azure subscription as admin.

So, I need a rest api flow where I ask to the user a token that authorize the admin to access to the resources inside his azure tenant, purchased on csp.

Answer 1

It sounds like you want to ask the user to login, and then that requires the admin to grant admin consent to access the resource

Nope, as admin, I would like to ask the permissions to my users to manage their azure resources.
I would like, as administrator, as admin agent user, provision resources inside my customers azure subscriptions.
It is already possible to do that using the web interface, but i cannot figure out how to using the api rest.

Answer 2

@Giovanni Toraldo can you clarify what you mean in regards to the flow? I'm not sure I understand. It sounds like you want to ask the user to login, and then that requires the admin to grant admin consent to access the resource.

Which should just be an authorization flow with permissions that require admin consent. You will need to disable user consent per the docs below.

Please see here for more information on that:
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
https://joonasw.net/view/defining-permissions-and-roles-in-aad

Specifically from the last link note :

"type": "User" means this permission can be granted by a non-admin user.
Use "type": "Admin" if you want it to be grantable by admin only