Get Azure Active Directory application permissions using AAD Graph API or Microsoft Graph API

2
votes

I have a multi-tenant application that requires the end-user to grant a specific set of permissions when accessed. I now need to add a permission to the application and need the end-user to re-grant the application for it to be effective.

That being said, I would really like to check the user's current application in their AAD to verify what set of permissions they have already granted. With that, I could check if I need to make them re-grant or not and have a nice end-user experience.

The closest I have found is using the following Microsoft Graph API endpoint: 'https://graph.microsoft.com/beta/oAuth2Permissiongrants'

This lists the Service Principals in their tenant along with their required permission scopes. This isn't a solution since the Service Principal's permission scopes aren't the same as the application's.

The second possible solution is using the following AAD Graph Api endpoint: 'https://graph.windows.net/{tenantid}/applications'

Sadly, this also isn't viable since it doesn't return "Enterprise Applications".

Anyone know how to accomplish what I'm trying to do? Thanks

2
azurepermissionsoffice365azure-active-directorymicrosoft-graph-api
Is it possible you can use the newer v2 endpoint? docs.microsoft.com/en-us/azure/active-directory/develop/… It allows for incremental consent so if you need to request permissions you just forward to the endpoint with the new consents you want and if they haven't given them permission it requests it then or if it does it would just redirect you back to your app allowing you to continue the flow from where you left off?Bryan Roberts
Yeah, I saw that also. Not possible for me to use the v2 endpoint just yet. Thanks Bryan!Yohan Belval

2 Answers

0
votes

If I understand your problem correctly you want to get back a list of the permissions that were successfully consented by a person to an application.

For example, if I create a client application, and I request "User.Read" and "Group.ReadAll", and a user has signed into my application and consented to those permissions, you want to see where in the directory that information is stored.

If so, you want to use the OAuth2PermissionGrant Entity as noted here for Microsoft Graph.

{
  "clientId": "string",
  "consentType": "string",
  "expiryTime": "String (timestamp)",
  "id": "string (identifier)",
  "principalId": "string",
  "resourceId": "string",
  "scope": "string",
  "startTime": "String (timestamp)"
}

Note that consent to an application will ALWAYS be represented as a link to a Service Principal representing that application, not the Application Object.

I hope this helps!

0
votes

You will need to do this in two steps using the AAD Graph API endpoint.

  • First step is to retrieve the objectID of your application on that tenant from the response of:

    https://graph.windows.net/{tenantId}/servicePrincipals?$filter=appId eq '{AppID}'

  • Second is to then use oauth2PermissionGrants from AAD endpoint in this case:

    https://graph.windows.net/{tenantId}/servicePrincipals/{ObjectID}/oauth2PermissionGrants

This will give you a list of the permissions consented for that application on that tenant under the field scope.