Automatically Update Permission with Graph Api

Question

Automatically Update Permission with Graph Api

Michele Massetti 0

Hello Community,
I m having issues adding permissions in the API permissions. Basically following this guide:
https://learn.microsoft.com/en-us/entra/identity-platform/howto-update-permissions?pivots=portal#grant-consent-for-the-added-permissions-for-the-enterprise-application
I successfully add the permissions, but then it is needed by the admin to grand access to those. I would like to automatize the process with the graphAPIs from Azure. I modify the requiredResourceAccess of the app, and it works. So my question is, how can I avoid the last step that an admin is required to click on grant access?
Thanks a lot

0 comments

1 answer

Your answer

Answer 1

Vasil Michev 126.5K MVP Volunteer Moderator

If you want to add the permissions programmatically, use the appRoleAssignment endpoint: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-post-approleassignedto?view=graph-rest-1.0&tabs=http

Do note that you need some highly privileged permissions to perform such operations, which is effectively the equivalent of Global admin. You will have to work with your admins to grant those permissions first, before your app is able to make changes to appRoleAssignments.

Michele Massetti 0 Reputation points

2024-11-19T08:22:30.8866667+00:00

I have an issue with servicePrincipal. I am assigning the role to the service principle in that way, how can I add the roles even for the app?
Michele Massetti 0 Reputation points

2024-11-19T08:33:09.07+00:00

In that way I get this:

These permissions have been granted for Your Organization but aren’t in the configured permissions list. If your application requires these permissions, you should consider adding them to the configured permissions list. Learn more
Michele Massetti 0 Reputation points

2024-11-19T09:01:53.4366667+00:00

https://stackoverflow.com/questions/74126173/in-azure-app-registration-page-what-is-the-difference-between-configured-permi
Actually this depicts exactly my error
Vasil Michev 126.5K Reputation points MVP Volunteer Moderator

2024-11-19T09:46:36.4+00:00

You are "mixing the streams" here. On one hand, you have your application object, which you as the "owner" can configure. If your application requires a certain set of permission to an API, such as the Graph, you define them therein.

On the other hand, you have the "resource" side of things, i.e. what your application will be allowed to access in any given tenant. Obviously, you cannot just define the access on your own, otherwise what's from stopping you from creating an application that has access to all files within Microsoft's tenant, for example. This is where consent comes in, the process of "granting" access to your application in a tenant.

This is also illustrated by the relationship between an "application" object, and a "service principal" object. The application object holds permissions you define. The service principal is then the "local" representation of your application in a given tenant, with permissions that might or might not match those requested by your app - it's up to the tenant's admin (or in some cases, users), to define whether they want to grant access.

With that in mind, what I was referring to above is the way for you to grant permissions to any given service principal, programmatically. Again, your application needs to be highly privileged in order to do so, and in most real-life scenarios you will not be granted such permissions. Instead, you use the consent model to "request" permissions, and an admin from the tenant will have to consent to such request.
CarlZhao-MSFT 46,456 Reputation points

2024-11-29T09:29:24.0766667+00:00

Hi @Michele Massetti

Hope things are going well. I am writing to see if the above suggestions help. If there's anything else we can help, feel free to let us know.

Share via

Automatically Update Permission with Graph Api

1 answer

Your answer