Restrict Microsoft Graph API permission

Question

Restrict Microsoft Graph API permission

Fraczek, Rafal SW/WRO-DCDZA 206

Hello,

one of the applications in the tenant needs permissions to the Graph API AppRoleAssignment.ReadWrite.All with the Application type in order to automatically manage AppRoles assignment in the application. However, these permissions pose a high security risk because we give the application the ability to manage appRoles in any application in our tenant.

Is it possible to limit API access so that it only applies to the application for which it was granted? So that the application can manage appRoles that are existing in it, and not in other applications in the tenant.

Thanks in advance

Rafal Fraczek

2 answers

Your answer

Answer 1

okay, I have found the solution. maybe someone will need it:

Application need to have Graph API permission: User.Read.All and Application.Read.All with Application Type.

Then we assign Custom Role to ServicePrincipal with permission: microsoft.directory/servicePrincipals/appRoleAssignedTo/update

and scope it during assignment to this SP.

With this, SP is able to modify AppRole assignment for himself but not in different SP's (if required you can add more assignment to different SP's).

Configuring permissions via CustomRole to use Get-MgUser is more complicated as user object has a collection of different objects to which rights are also required to complete the Get-MgUser query (e.g Sign-In logs), that's why I used Graph API permission User.Read.All.

So in general Enterprise App will have rights to use Graph cmds granted via API permission and via Custom role/Built-in role in 'Role and administartors'.

Additional info if we add AppRoleAssignment.ReadWrite.All to API permission and have Custom Role also assigned to SP, access will not be restricted and SP will be able to modify appRole assignment in different SP's.

Answer 2

Vasil Michev 123.5K MVP Volunteer Moderator

Afaik no, you cannot restrict said permission. Instead, consider creating a custom role and scope in to just the application at hand. Here's the relevant documentation: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/quickstart-app-registration-limits

Fraczek, Rafal SW/WRO-DCDZA 206 Reputation points

2024-06-10T06:36:27.0066667+00:00

@Vasil Michev thanks for response
I have checked attached documentation, but I have some problems.
I have also checked: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-enterprise-apps
My requirement is to grant Service Principal rights to manage AppRoles assignment only in this Service Principal, so it will be scoped to this SP.I have create custom role, with read option related to:

microsoft.directory/users/*/read

microsoft.directory/servicePrincipals/appRoleAssignedTo/update

microsoft.directory/servicePrincipals/appRoleAssignments/read

microsoft.directory/servicePrincipals/memberOf/read

microsoft.directory/servicePrincipals/standard/read

And update option for:

microsoft.directory/servicePrincipals/appRoleAssignedTo/update

I have then assigned this Custom Role to SP 'XYZ' and scope it to same SP. After that application need to read Users data and Service Principal data so it will use cmds:
Get-MgUser and Get-MgServicePrincipal

and I have the error that rights are not sufficient.

Additionally I am using Jenkins and acting as application

Any idea how to solve it or what I did wrong?

Regards
Fraczek, Rafal SW/WRO-DCDZA 206 Reputation points

2024-06-10T07:16:23.44+00:00

Additionally I have also tested it via PS and Graph (connected to Graph as SP) and have same error:
Fraczek, Rafal SW/WRO-DCDZA 206 Reputation points

2024-06-10T07:24:56.05+00:00

Additionaly I have tested it with PS and connected to Graph as SP:
Connect-MgGraph -TenantId $tenant -ClientSecretCredential $connectCreds
but then same error:

Share via

Restrict Microsoft Graph API permission

2 answers

Your answer