2
votes

Our company is developing a system that is based on Azure components and a client desktop application that connects to Azure. The Azure components are being deployed automatically by our setup code via the Azure API and Azure deployment automation. One of these components being deployed is a Web App / API that we register in the Azure Active Directory. Our deployment code creates this app in Azure via the Azure API and sets the "Required permissions" for this app in Azure. The required permissions are:

enter image description here

Once the application is set up with Azure we then have our client desktop application. In our client desktop application the user can log into the Azure and then we want to access the created application. So our client desktop application basically displays the Azure login box to log into Azure and then it tries to access the Web application in Azure, and we got this:

enter image description here

OK, so I can manually solve it: if I log into Azure as Admin and I manually grant the permissions by clicking the "Grant Permissions" button, the message shown above will not be shown anymore and everything will work smoothly. The "Grant Permissions" button I click is this:

enter image description here

But unfortunately we cannot go this way of granting the permissions manually, we need to find a way to do it programmatically - by C# code. This is our business requirement. So the existing C# code creates the application in Azure AD, sets the required permissions for it, and the missing part is a C# snippet that will automatically grant the permissions - so that the users don't see the warning message above. I've been looking into various online resources and haven't found a way to do it by C# code as yet - unfortunately. Is there a way to grant the permissions automatically? Any C# snippet? Azure API call? Powershell? Anything?

Regarding details of permissions that our application requests: For the Microsoft Graph we required those permissions as Application Permissions:

enter image description here

And those as Delegated Permissions:

enter image description here

For Windows Azure Active Directory the required permissions are:

enter image description here

1
If you are only creating the application, you should also create the servicePrincipal, oauth2Permission Grant and the AppRoleAssignmentSaca
Please also refer to this article for more details .Nan Yu
@msporek, please add the your creation code to the question. The easiest way to figure out what to create and how, is to do look at the app you've already created and granted permission to manually (using the Grant Permissions button).Saca
Go to graphexplorer.azurewebsites.net and query for your application, its servicePrincipal, its appRoleAssignments and its oauth2PermissionGrants.Saca
https://graph.windows.net/<your_tenant.onmicrosoft.com>/servicePrincipals?$filter=appId eq '<yourAppId>' https://graph.windows.net/<your_tenant.onmicrosoft.com>/servicePrincipals/<servicePrincipalObjectId>/appRoleAssignments https://graph.windows.net/<your_tenant.onmicrosoft.com>/servicePrincipals/<servicePrincipalObjectId>/oauth2PermissionGrantsSaca

1 Answers

0
votes

The question has been answered above by @Saca and @Nan Yu. It can be closed now. The solution based on creating OAuth2PermissionGrant and AppRoleAssignment objects for the ServicePrincipal of an application being created is the right way to solve the problem, I have managed to solve the problem this way.