Share via

API Permissions via Graph API

Mark Meares 0 Reputation points
2024-10-10T05:36:01.2233333+00:00

Hi Support,

I have been trying to achieve the following with an Entra App Registration:

  • Using the Graph API admin consent to API Permissions for my Entra App Registration, I am well aware you can manually do this by signing into 365 as a Global Administrator and press the admin consent button to do this. I am trying to achieve this programatically.

I have reviewed the following article:
https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/grant-admin-consent?pivots=ms-graph

I am having trouble replicating the above and making it successful.

I have also reviewed the following stack overflow article where it is stated to be possible to achieve the above:
https://stackoverflow.com/questions/76568917/can-a-service-principal-or-azure-app-admin-consent-an-external-multi-tenant-app

I do understand the security implications this may pose if such a thing is possible, but from an IT administration standpoint where I have multiple tenancies I manage as an MSP I would like to be able to programmatically add and remove permissions and approve their admin consent in a more streamlined way without having to log into every single tenant then navigate to the app and repeat steps to change permissions.

The errors I have come across are 404, 400 but I have also had times where the response from graph claims its succeeded but the permissions are not showing as consented to by admin. The App has Cloud Administrator Role applied to it as well as application.readwrite.all - approved already to check these permission changes work, I have also tried granting directory.readwrite.all when testing.

If this is better raised as direct support request under a tenancy please let me know.

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
5,770 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Yakun Huang-MSFT 10,555 Reputation points Microsoft External Staff
    2024-10-10T06:27:30.2966667+00:00

    Hello Mark Meares,

    Thank you for reaching out to Microsoft Support!

    You can refer to this document to programmatically grant and revoke permissions, noting that programmatically granted permissions do not require review or confirmation. They take effect immediately.

    See this document for details:

    https://learn.microsoft.com/en-us/graph/permissions-grant-via-msgraph?view=graph-rest-1.0&tabs=http&pivots=grant-application-permissions

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

    0 comments
  2. Hitesh Pachipulusu - MSFT 3,620 Reputation points Microsoft External Staff
    2024-10-10T06:46:38.5433333+00:00

    Hello Mark Meares,

    Thank you for reaching out to Microsoft Support!

    It sounds like you're trying to streamline the process of granting admin consent to API permissions for your Entra App Registration programmatically using the Microsoft Graph API.

    Steps to Programmatically Grant Admin Consent:

    1. Ensure Proper Permissions: Make sure your app has the necessary permissions. You've mentioned Application.ReadWrite.All and Directory.ReadWrite.All, which are good starts. Ensure these permissions are granted and admin consented.
    2. Use the Microsoft Graph API: You can use the oauth2PermissionGrants endpoint to grant admin consent programmatically. Here's a basic example using HTTP requests: 
         POST https://graph.microsoft.com/v1.0/oauth2PermissionGrants
   Content-Type: application/json
   Authorization: Bearer {token}
   {
     "clientId": "{client-id}",
     "consentType": "AllPrincipals",
     "principalId": null,
     "resourceId": "{resource-id}",
     "scope": "User.Read"
   }
      Replace {client-id} with your application's client ID and {resource-id} with the resource ID of the API you are granting permissions to. The scope should be the permissions you want to grant.
    3. Handle Errors: If you encounter errors like 404 or 400, ensure that:
      • The endpoint URL is correct.
      • The token you are using has the necessary permissions.
      • The resource ID and client ID are correct.
    4. Verify Permissions: After making the request, verify that the permissions have been granted by checking the API permissions in the Azure portal or using the Graph API to list the permissions.

    Hope this helps.

    If the answer is helpful, please click Accept Answer and kindly upvote it. If you have any further questions about this answer, please click Comment.

    0 comments
  3. Vasil Michev 116.8K Reputation points MVP
    2024-10-10T07:04:31.8966667+00:00

    You are missing the required permissions, Application.ReadWrite.All is not sufficient. You need AppRoleAssignment.ReadWrite.All in order to manage application permissions and/or DelegatedPermissionGrant.ReadWrite.All in order to manage delegate permissions.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.