Episode #137 – Programmatically Register an AAD App with Delegated Permission Grants

Here you can find the transcript of Episode #137 of PiaSys TechBites.

Welcome back to PiaSys Tech Bytes. Today, I want to talk with you about quite an advanced topic. In fact, I want to explain to you how you can use Microsoft Graph to register an application in Azure Active Directory, and to grant the permissions needed by the application that you just registered.

In order to do that you simply need to, first of all, register a kind of a master application which will have proper permissions to register other applications in your active directory tenant and, of course, it could be even a multi-tenant application. Once you have registered that master application, you can use it to register any other application in Azure Active Directory, and to grant the permissions to the registered apps using just the Microsoft Graph APIs.

Let me switch to the demo environment and let me show you how you can do that in practice. Like usual, first of all, let’s have a look at the APIs that we are going to use. We will, first of all use the Create Application API, which is available in Microsoft Graph V1 and you simply need to make a post to the applications endpoint to provide the JSON description of an app that you want to register, and you will get back the JSON description of the whole application that was registered for you on Azure Active Directory.

Once you have registered an application, you will also have an application ID, which is the client ID of the application that you are creating, and you can use the Create Service Principal endpoint, which is simply based on the Service Principals collection and you can make just a POST to provide another JSON with the ID of the app that you want to promote as a Service Principal. Once you have done that, you can then use the Auth2PermissionGrant endpoint to make a post to the collection of permission grants of open authorization and providing the information about the app for which you want to do the grant.

The unique ID or the Service Principal of the app, the type of the consent, the principal ID, if it is a consent for a specific user or not for all of the principals in your tenant, the resource ID of the service principal that you want to grant the permission for and the scopes of the permissions that you want to grant.

Here, I have an application that I already registered in Azure Active Directory and this application is configured for an API permissions point of view in order to have the Application.ReadWrite.All permission, as well as the Directory.ReadWrite.All permission plus the user dot read, just for the sake of signing in a user in case of need. But we will just use the application only token, and we will use these two permissions in our application.

Using MSAL, the Microsoft Authentication Library, which I added to my project using NuGet, Microsoft Identity.Client is the package that you need to import in your solution, I create a confidential client application builder and they provide the settings for my application. The master application, the client ID, the authority and the secret for my app, so that I will be able to acquire an access token for app only for the default permission scope for Graph. Meaning, the permissions that I just showed you. So these two permissions for application only access token. Then, once I have the access token, I can create an HTTP client object and I just start creating the application, the service application, and the permission grant.

First of all, I have to make a POST to the collection of applications. I have to provide the access token in the Bearer value of the Authorization header and I have to define an object which will be an object made by a display name for the app that I’m going to register, as well as the collection of required resource access settings, which includes the settings for Microsoft Graph, this is the unique ID of Microsoft Graph in any tenant. This is the globally multi-tenant ID for Microsoft Graph. Then, I have to define the permissions that I want to have in my application and specifically, I’m declaring that I want to have Group.ReadWrite.All and User.Read. Both will be delegated permissions, as you can see from this setting, which is scope.

Once I’ve done that, I simply make my HTTP request. If the response is successful, I get back the JSON of the response so that I can deserialize the response into an object, which will give me access to the application ID, as well as to all of the more important settings about the application that I just registered.

Once you have done that, you can then create the service principal. Yet another HTTP request for the service principals collection in Microsoft Graph under V1 Endpoint, so in GA. Then, you prepare a request where you want to promote to a service principal the app that you just registered and you provide the app ID on that app, and you make another request. As the result of this request, you will get back a service principal JSON object. The service principal will give you the internal ID of the service principal in your Azure Active Directory tenant, as well as the app ID of the application that you just registered.

Again, using yet another, and the last one, yet another HTTP request, we make a post to the collection of OAuth2PermissionGranted. We still provide the access token. In the body, we provide the Azure AD, unique ID of the service principal. We define that we want to grant the permissions to all the principals in the tenant. Otherwise, you could target just a specific user as like as a single user make consent for permissions that don’t require a global tenant admin grant.

Then, if it will be a grant for a specific user, you will have to provide the ID of the principal of the user. Otherwise, you simply need to provide a null value for this property. Then, you provide the resource ID of the target API, which is the ID of the service principal for Microsoft Graph, which you will have to retrieve either using Graph Explorer or maybe using still the Microsoft Graph in your source code. Then, the permission scope that we want to grant as delegated permission scope for this application. We make the last HTTP request. We get back a JSON response, which will be the JSON representation of the result of our grant.

Let me start the application. Run it. It will, first of all, register the application in Azure Active Directory so that if we wait and here is the console application that is working, if we wait for the output of the application, while we can run to cursor right here, and we can see on the console window, that’s the ID of the application that we just registered. If I go to my portal.azure.com and I search in the app registrations for the application that I just created, I can see that I have an application with that application ID. If I click on it, I go under API permission, I can see that I have the permissions assigned, but they are still pending the admin grant.

Let me go back to this application and let me run to cursor the application until we reach the end of it’s main method so that we will have the permission grant configured. If we look into this object, actually better to see it as a JSON content, we can see that it has been registered a permission grant for Group.ReadWrite.All and User. Read for the app ID of the service principal for our application. This is the ID of the permission grant that we just granted. If I complete the execution of the application and I go back to portal.azure.com, we can refresh this page and we can see that now the permissions are granted. Basically using a code-based approach and programmatically, we were able to register an application and grant the delegated permissions for that application.

Like always, thank you for watching this video. I hope you found it interesting and I’m really looking forward to seeing you next week. Remember to subscribe to this channel. Thank you.