Adding custom attributes to Azure AD Graph applications created in PowerShell

0
votes

I am developing a Web API that talks to Azure AD Graph to get and update user and group information. So I have implemented a service application/service principal according to the article at https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet, using Windows PowerShell.

I now want to add some custom attributes to my application so that groups can have extra fields. However I can only see it in the Azure Portal when I refer to it by its specific application id and also I can't get to it using the AD Graph RESTful API at https://graph.windows.net/{mytenant}.onmicrosoft.com/applications or /{mytenant}.onmicrosoft.com/applications/{objectId}/extensionProperties and thus can't add any new custom attributes by using the corresponding POST endpoint.

Comparing my service application with other enterprise applications in my tenant, it also doesn't have a publisher showing in the enterprise applications blade.

Please can anyone advise whether this is supposed to work, and if so what am I missing by way of configuration?

thanks

Simon

1
microsoft-graph-apiazure-ad-b2cazure-ad-graph-api
Did you have any luck with this? Im also trying to create users via the Graph API. Am able to do this, but cant seem to POST any of my custom attributes.Raj
Hi @Raj, yes I did get it to add a custom property although haven't tried doing anything with it yet.SimonP

1 Answers

2
votes

The issue you are seeing here is due to the fact that the tutorial you followed had you create a Service Principal using AAD PowerShell, however the properties you are looking for are on the Application Object.

You can read more about the differences here.

Application object

An Azure AD application is defined by its one and only application object, which resides in the Azure AD tenant where the application was registered, known as the application's "home" tenant. The application object provides identity-related information for an application, and is the template from which its corresponding service principal object(s) are derived for use at run-time.

Consider the application object as the global representation of your application (for use across all tenants), and the service principal as the local representation (for use in a specific tenant). The Azure AD Graph Application entity defines the schema for an application object. An application object therefore has a 1:1 relationship with the software application, and a 1:n relationship with its corresponding n service principal object(s).

Service principal object

The service principal object defines the policy and permissions for an application, providing the basis for a security principal to represent the application when accessing resources at run-time. The Azure AD Graph ServicePrincipal entity defines the schema for a service principal object.

Before an Azure AD tenant will allow an application to access the resources it is securing, a service principal must be created in the given tenant. The service principal provides the basis for Azure AD to secure the application's access to resources owned by users from that tenant. A single-tenant application will have only one service principal (in its home tenant). A multi-tenant Web application will also have a service principal in each tenant where an administrator or user(s) from that tenant have given consent, allowing it to access their resources. Following consent, the service principal object will be consulted for future authorization requests.

My suggestion is to use the Graph API/Portal UX/PowerShell to create an Application Object first, and then follow the tutorial by updating the service principal of the application you created.

Let me know if this helps!