Azure AD: I want to fetch delegated as well as application permissions/consent based on appId.
To Lists delegated permission grants (OAuth2PermissionGrants) and application permissions grants (AppRoleAssignments) granted to an app in Azure Ad. Please use this script
Related
This is an issue I'm seeing for MSAs (Personal OneDrives)
I've created an AAD App registration with the User.Read and Files.ReadWrite.AppFolder Graph API permissions. The application is intended to be used to upload scanned documents from a scanner to the user's OneDrive.
I get an Access Denied exception when calling the graphClient.Drive.Special.AppRoot.ItemWithPath(<random filename>).CreateUploadSession().Request().PostAsync() API. However, if I add the Files.ReadWrite.All API permission to the AAD App registration, have a user consent to that permission, upload a file to the app folder, remove the Files.ReadWrite.All API permission, and reauthenticate the user, calls to graphClient.Drive.Special.AppRoot.ItemWithPath(<random filename>).CreateUploadSession().Request().PostAsync() work as expected.
This seems to be an issue with the initial provision of the app folder.
Could you please try by adding Files.ReadWrite permission in place of Files.ReadWrite.AppFolder
ref doc - https://learn.microsoft.com/en-us/graph/api/driveitem-post-children?view=graph-rest-1.0&tabs=csharp
I have created a microsoft chat bot, and have set up the /adminconsent workflow, where another application has given admin consent to my bot to act on behalf of them.
#shawn-tabrizi wrote a great article about how to remove my own bot's access to their application from the UI, but I can't find a way to remove access using Microsoft Graph.
Any help would be appreciated!
I believe you're looking for Delete an appRoleAssignment granted to a service principal:
App roles which are assigned to service principals are also known as application permissions. Deleting an app role assignment for a service principal is equivalent to revoking the app-only permission grant.
I am integrating my SPA web app with Microsoft 365. I have got a question regarding permissions which were granted while integrating with M365.
After successful integration and approving the permissions by admin in pop-up login window experience i would like to reach the resource to graph api to query for permissions that were granted by administrator in order to enumerate them on front end to show our user which permissions were requested and which are granted.
I know there are resources to check granted permissions but those are for example for drives, share-point user groups. I was unsuccessful in finding any kind of resources that i could reach and call Graph Api to give me all permissions granted for application itself. It is important for me to get this information because user can log in to M365 Azure Active Directory and remove one of granted permission. In such a case my app will not be notified anyhow about that change and reaching out for - lets say User's Message resource without signed in user will not be possible.
Thanks in advance for any help
You can use:
List oauth2PermissionGrants: all delegated (user) permissions granted.
List appRoleAssignments granted to a service principal: application permissions granted to other applications trough their service principals.
List oauth2PermissionGrants: delegated (user) permissions granted for a specific application trought its service principal.
2 and 3 use the beta endpoint with is subject to change and not supported in production applications.
I can manage sharing access by user to his personal Office365 account via OAuth2. This article does not contain information how to revoke the access. I believe there is should be REST API to revoke shared access.
Can I have help or missed link to Office365 developers API where I could find correspond documentation please?
If you want to revoke access token issued by azure ad , currently , Azure AD doesn’t support revoking the token . However, we can clear the token cache if you doesn’t want users to user the token. You could also read document Configurable token lifetimes in Azure Active Directory to specify the lifetime of a token issued by Azure Active Directory (Azure AD) .
Tool: postman
Created azure ad app, granted app-only permission Group.ReadWrite.All for Microsoft Graph app, the app has standard delegation permissions as "Sign-in and read user profile on" "Windows Azure Active Directory" app.
Requested token for AzureAD graph api at endpoint https://login.windows.net/ with resource parameter "https://graph.windows.net", using client credential grant flows;
Got token back
Used the token and did a GET on a User OK
Did a PATCH on a user ( modification went successfully with http code 204 back);
This looks very strange to me, why an app was able to do patch on a user in azure ad when app is only granted Group.ReadWrite.All on Microsoft Graph API?
We are working on an experience in the new Azure portal to "consent/approve" the app in your tenant. Until then, you'll need to follow the final step in the instructions that go with this sample app (to consent the app): https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console.
After doing so, you should see a "roles" claim in the access token (containing Group.ReadWrite.All).
The other issue you are reporting (it looks like your app has been added to the Directory Writers role, enabling your app to be able to perform more than just group manipulation) - this will require some more investigation, as this should not be happening. Will report back.
Hope this helps,
There are two issues here;
Issue #1) Wrong documentaiton for Add Owner graph.microsoft.io/en-us/docs/api-reference/v1.0/api/… (One of the following scopes is required to execute this API: Group.ReadWrite.All or Directory.ReadWrite.All or Directory.AccessAsUser.All), It requires both Directory.ReadWrite.All AND Group.ReadWrite.All ,
Issue #2) Azure AD portal does not remove Application service principal from Directory Writer Role if you remove "Read and write directory data" permission from Windowes AzureAD App