Microsoft Graph - Why permission/scope “Group.ReadWrite.All” is able to do PATCH on user profile properties?

0
votes

Tool: postman

  1. Created azure ad app, granted app-only permission Group.ReadWrite.All for Microsoft Graph app, the app has standard delegation permissions as "Sign-in and read user profile on" "Windows Azure Active Directory" app.
  2. Requested token for AzureAD graph api at endpoint https://login.windows.net/ with resource parameter "https://graph.windows.net", using client credential grant flows;
  3. Got token back
  4. Used the token and did a GET on a User OK
  5. Did a PATCH on a user ( modification went successfully with http code 204 back);

This looks very strange to me, why an app was able to do patch on a user in azure ad when app is only granted Group.ReadWrite.All on Microsoft Graph API?

2
microsoft-graph-apioffice365apiazure-ad-graph-api
Can you take a quick look at the access token that you are getting back please? Use a JWT decoder like jwt,calebb.net, and update your post to include the "roles" claim value please. There could be another reason for this... Using AAD powershell, can you look to see the members of the Directory Writers role? Is it possible that you added the service principal (representing your application) to this role?Dan Kershaw - MSFT
Just checked out the toke in the Jwt decoder, there is no appRole calim available. I would check for Directory writer role and would update this comment.Maqsood Ali Bhatti - bElaie.
@DanKershaw-MSFT --- this is strange, i just looked at the directory role from powershell (Get-MsolRoleMember -RoleObjectId) and I can see the app is member of Directory Writer role, but this could be correct since Group.ReadWrite.All would have this role assigned, Am I on the correct path?Maqsood Ali Bhatti - bElaie.
Your app would not be added to the Directory Writer role as part of configuring your app to require Group.ReadWrite.All. It looks like you've not consented to the app (or you'd see a "roles" claim in the token). Which Portal did you use to register your app? Is this a newly registered app? Also is there any possibility that you manually added the app to this role?Dan Kershaw - MSFT
@DanKershaw-MSFT -- The app is newly registered app and it was registered using new Azure Portal logged in as a Admin account. I have not added this app manually to this role, I am quite sure. I would go and see if I can reproduce the same behavior with another new app.Maqsood Ali Bhatti - bElaie.

2 Answers

0
votes

We are working on an experience in the new Azure portal to "consent/approve" the app in your tenant. Until then, you'll need to follow the final step in the instructions that go with this sample app (to consent the app): https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console. After doing so, you should see a "roles" claim in the access token (containing Group.ReadWrite.All).

The other issue you are reporting (it looks like your app has been added to the Directory Writers role, enabling your app to be able to perform more than just group manipulation) - this will require some more investigation, as this should not be happening. Will report back.

Hope this helps,

0
votes

There are two issues here;

Issue #1) Wrong documentaiton for Add Owner graph.microsoft.io/en-us/docs/api-reference/v1.0/api/… (One of the following scopes is required to execute this API: Group.ReadWrite.All or Directory.ReadWrite.All or Directory.AccessAsUser.All), It requires both Directory.ReadWrite.All AND Group.ReadWrite.All ,

Issue #2) Azure AD portal does not remove Application service principal from Directory Writer Role if you remove "Read and write directory data" permission from Windowes AzureAD App