PATCH request on https://graph.microsoft.com/beta/applications returns 403

1
votes

I am trying to add app roles to my app registration in Azure Active Directory programmatically, I am using the following Microsoft article as a reference: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/application_update

Here is my code:

string bearer = "Bearer <token>";
string appId = "<guid>";
string appEndPoint = "https://graph.microsoft.com/beta/applications/{0}";

HttpWebRequest request = (HttpWebRequest)WebRequest.Create(string.Format(appEndPoint, appId));
request.Headers.Add("Authorization", bearer);
request.Method = "PATCH";
request.ContentType = "application/json";

string jsonBody = "{\"appRoles\":[{\"allowedMemberTypes\":[\"User\"],\"description\":\"This is a test role\",\"displayName\":\"Test Role\",\"id\":\"fb3d0a97-b19e-4132-bb62-4a0213b37178\",\"isEnabled\":true,\"origin\":\"Application\",\"value\":\"Test\"}]}";

request.ContentLength = Encoding.ASCII.GetBytes(jsonBody).Length;
using (var streamWriter = new StreamWriter(request.GetRequestStream()))
{
    streamWriter.Write(jsonBody);
    streamWriter.Flush();
    streamWriter.Close();
}
var responce = request.GetResponse(); // throws 403 Forbidden
var responseStr = new StreamReader(responce.GetResponseStream()).ReadToEnd();

This is how I am acquiring the bearer token:

string domain = "my.domain.com";
string appId = "<guid>";
string clientSecret = "<secret>";

AuthenticationContext authContext = new AuthenticationContext(string.Format("https://login.windows.net/{0}/oauth2/token", domain));
ClientCredential creds = new ClientCredential(appId, clientSecret);
AuthenticationResult result = await authContext.AcquireTokenAsync("https://graph.microsoft.com/", creds);

string bearer = result.AccessToken;

I have granted my app registration all the required permissions specified in the Microsoft article, but I keep getting a 403 response.

I have also tried granting my app registration all permissions available and still get 403, does anybody know what I am doing wrong here?

2
c#azure-ad-graph-api
"Bearer <token>", I assume that's an actual, real token that you obtained through ADAL?Camilo Terevinto
Yes, it is, I didn't include the code I am using to get the bearer token because I wanted to keep the example code to the point, however, I can assure you that the token has been correctly acquired and I am able to GET the app manifest using the acquired token.Michael Gordon

2 Answers

2
votes

403 error means that the bearer token has insufficient privileges to complete the operation.

If we get the bearer token with Delegate permssion, we need (Directory.AccessAsUser.All), we could check it with https://jwt.io/

enter image description here

I also test your code on my side, it works correctly.

enter image description here

Note: Based on my test, if bearer token with Delegate permssion Directory.ReadWrite.All, then it has insufficient privileges

Update:

Based on my test, if I use the application permission(with AD v1 or v2), I also get the same result with you. You could give your feedback to Azure team.

APIs under the /beta version in Microsoft Graph are in preview and are subject to change. Use of these APIs in production applications is not supported.

0
votes

"Directory.ReadWrite.All" is not required and is overkill. Some the service principle api's have not be migrated over to the new graph api. Try granting the below permissions, the one you are probably missing is the Azure Active Directory Graph permission

Azure Active Directory Graph - Note this takes a few minutes to apply...

Application.ReadWrite.All

Microsoft Graph

Application.ReadWrite.All