List privilegedRoles using Azure app/service principal

0
votes

I'm trying to request the "List privilegedRoles" resource using an app created in Azure's Active Directory.

I've given it all the Application permissions AND Delegated permissions in the Graph API app, to no avail.

The response is always:

"error": {
  "code": "UnknownError",
  "message": "{\"message\":\"An error has occurred.\"}",
  "innerError": {
    "request-id": "3e1bb5cf-2d2e-402f-8648-27193b28510a",
    "date": "2018-06-06T14:26:02"
  }
}

Any help would be much appreciated

UPDATE 1:
A full reproduction of the issue -

step 1: admin consent

open browser at: https://login.microsoftonline.com/MY-TENANT-ID/adminconsent?client_id=MY_APP_ID&state=12345&redirect_uri=http://localhost/myapp/permissions

and grant consent by an admin to the requested permission(s)

see successful redirect to:
http://localhost/myapp/permissions?admin_consent=True&tenant=MY_TENANT_ID&state=12345

step 2: get token

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=MY_APP_ID&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=MY-APP-SECRET&grant_type=client_credentials' 'https://login.microsoftonline.com/MY_TENANT_ID/oauth2/v2.0/token'

get reply like:

{
    "token_type": "Bearer",
    "expires_in": 3599,
    "ext_expires_in": 0,
    "access_token": "SOME-VERY-LONG-TOKEN"
}

step 3: attempt to get the resource

curl -X GET -H "Authorization: Bearer SOME-VERY-LONG-TOKEN" 'https://graph.microsoft.com/beta/privilegedRoles'

ERROR:

{
  "error": {
    "code": "UnknownError",
    "message": "{\"message\":\"An error has occurred.\"}",
    "innerError": {
      "request-id": "cc9c950c-369c-4fb5-8ec4-eb4048e32a5d",
      "date": "2018-06-10T09:09:57"
    }
  }
}
1
microsoft-graph-api
Can you please provide an example of the code your using and the bearer token you're sending to the API?Marc LaFleur
@MarcLaFleur its a little complicated as this is spread across multiple java classes. I am using this same method to successfully fetch the users and groups from the graph APIs though, so I think the issue is not there. As I mentioned, the token is created via a service principal/app using the triplet of (tenant id, app id, secret).Nadav
Without seeing some code or the token, it's just a guessing game. Since a token cannot hold both App and Delegated, understanding how you're getting that token will explain a lot. Check out this article for a deeper explanation:massivescale.com/application-vs-delegated-scopesMarc LaFleur
@MarcLaFleur see my update with sample reproduction. only a delegated permission is present.Nadav
Take a look at the article I linked to. You're using Client Credentials which means you're not using Delegated permissions. The article I linked to explains how these scopes work.Marc LaFleur

1 Answers

0
votes

You can only use delegated permission for calling MSGraph PIM Api's. Basically, you will need to do the following setup:

  1. Create a native AAD application
  2. Grant it Read and write privileged access to Azure AD permission and make sure the admin consents to it
  3. Call MSGraph PIM Api's using this app with delegated token.

For more details, see https://blogs.msdn.microsoft.com/anujchaudhary/2018/06/07/powershell-sample-for-privileged-identity-management-pim-for-azure-ad-roles/