Application Authorization for Registering App and Creating Groups - Azure AD

0
votes

I have a Java application running on premise in order to manage Azure app registrations and groups. For that purpose I registered an app and its service principle in Azure. I am using one of the samples under (https://github.com/Azure-Samples/aad-java-manage-users-groups-and-roles/). I am having trouble about giving right permissions to my app so that it can register other apps, create groups, assign them to groups and do client secret operations. I am receiving 403 unauthorized response. What are least possible Azure AD permissions for these operations? Which steps and options should I take/follow to implement that requirements in portal?

Thanks

UPDATE 1 Giving owner right is a big move. So that's not the answer I was looking for. That's why I am not marking it as a solution for my question but that would definitely work if you are willing to do that. Code also works. Part of my question was least possible permissions. After experimenting I found that in app permissions:

  1. Windows Azure Active Directory->Read Write Directory Data
  2. Windows Azure Active Directory->Read Write All Applications
  3. Microsoft Graph->Read Write Directory Data
  4. Microsoft Graph->Read Write All Domains
  5. Microsoft Graph->Read Write All Groups

solved the problem. Active Directory ones allowed me to create app and create group, graph ones allowed me to add app to group. Instead of Graph, adding app as User Access Admin also let me the app to group.

UPDATE 2 I am trying to repeat same process with another app. This time although I gave same permissions as I did in Update 1 this time adding new app to group fails with 403. Any idea how this really works? I am really confused...

1
azureazure-active-directory
You can check the permission requirements from the Microsoft Graph documentationjuunas
Thanks @juunas. This page is what I've been looking for. Do you know whether we can add App Permissions programatically or not?user3499779

1 Answers

0
votes

You need create a service principal and give it Owner role to your subscription. You could check the code, the new created user is gived CONTRIBUTOR to your subscription. So, your sp need Owner role.

  // Assign role to AD user, it needs `Owner` role.

   RoleAssignment roleAssignment1 = authenticated.roleAssignments()
           .define(raName1)
            .forUser(user)
            .withBuiltInRole(BuiltInRole.READER)
            .withSubscriptionScope("3b4d41fa-e91d-4bc7-bc11-13d221b3b77d")
           .create();
   System.out.println("Created Role Assignment:");

You could do it on Azure Portal.

<your subscription>--><Access Control>--><Add>.

enter image description here

More information about this please refer to this official document.

Update:

I test in my lab, you don't need give your sp Graph permission, you only need give your sp your subscription Owner role. This is my test result.

enter image description here