How to create Azure AD application with the Graph API with portal experience

2
votes

In the new Azure portal I can create a new application registration. I have found out that this action consists of multiple steps which I want to achieve with the Graph API.

This is the portal experience which I want to simulate with the Graph API:

  1. In the App registrations blade I press on the Add+ link to create the registration Test App A.
  2. I click on Test App A and the blade for this app registration opens. In this blade the value for Managed Application In Local Directory is a link named Test App A.
  3. I click on that link and a new Enterprise Application - PREVIEW blade for Test App A opens. On that blade the Delete link is enabled and clickable. On that blade under MANAGE the link Conditional access is present.
  4. I close all blades and open the Enterprise applications blade. There under MANAGE I click on All applications.
  5. On the Enterprise applications - All applications view I see Test App A listed.

This is what I am doing with the Graph API:

  1. I send a POST request to https://graph.windows.net/{tenant}/applications?api-version=1.6 to create the Test App A.
  2. I click on Test App A and the blade for this app registration opens. In this blade the value for Managed Application In Local Directory is the text Log on to the app to create a local instance.
  3. I send a POST request to https://graph.windows.net/{tenant)/servicePrincipals?api-version=1.6 to create a service principal. The JSON body of the request contains only the property appId with the application ID of the Test App A as its value. This changes the value for Managed Application In Local Directory into a link named Test App A.
  4. I click on that link and a new Enterprise Application - PREVIEW blade for Test App A opens. On that blade the Delete link is disabled and not clickable. On that blade under MANAGE the link Conditional access is missing.
  5. I close all blades and open the Enterprise applications blade. There under MANAGE I click on All applications.
  6. On the Enterprise applications - All applications view the application Test App A is not listed.

What am I missing? Which properties else do I have to send in step 3. What I have to do else?

1
azure-active-directoryazure-ad-graph-api
One thing you could do is go to the Graph Explorer, find your service principal and app, and compare them to ones created by the portal. - juunas
Cool tool. No need for Fiddler :-) - Yavuz

1 Answers

3
votes

You must specify the following during the creation of the Service principal:

"tags": [
  "WindowsAzureActiveDirectoryIntegratedApp"
]

Or you can update the existing service principal with that. Otherwise what you did is correct.

So service principal creation JSON would look like:

{
  "appId": "0e5836bf-ac8d-4b46-9cbb-5b3e8ebcdd37",
  "tags":[
    "WindowsAzureActiveDirectoryIntegratedApp"
  ]
}

Or you could do a PATCH on the service principal with:

{
  "tags":[
    "WindowsAzureActiveDirectoryIntegratedApp"
  ]
}

About the tag

It seems when you add this tag, the principal becomes visible in the "Enterprise Applications" list (which really is the Service Principal list). Conditional Access is also enabled.

This tag seems to exist on any and all service principals created for apps through any of the Portals.

There are also service principals without the tag though, such as the principal for the Graph API, and the Azure Portal.

The point seems to be that these are services with some access in your directory, but they are not supposed to be under your control. The tag differentiates the principals that should be visible for you. Even without the tag the principal can be visible, but only via the app you created, as we saw here.

Interestingly those principals like the Microsoft Graph API have an appId, but no appOwnerTenantId. The publisherName is also null.

This is mostly just guessing since I don't actually work at Microsoft, but the bottom line seems to be that if you want AAD to handle the principal as if you created it for the app through the portal, you must specify that tag also.