Why is “Application permissions” disabled in Azure AD's “Request API permissions”?

Question

I'm trying to give a console app permission to call an API in Azure AD.

When I go to "Add permissions," "application permissions" is grayed out and I can only select "delegated permissions."

My understanding is that application permissions is right for the console app because it runs on the back-end and users don't sign into it.

From the help text for "application permissions":

Your application runs as a background service or daemon without a signed-in user.

The help text for "delegated permissions":

Your application needs to access the API as the signed-in user.

Why is "application permissions" disabled?

Have you defined app permissions in the appRoles array for the API? — juunas
You have to create tenant in azure portal. Permission grayed out because you have created application without creating tenant. Let me know if you have any more query — Md Farid Uddin Kiron
@MdFaridUddinKiron I definitely have a tenant...I don't think that's the issue. — Eric Eskildsen

Tony Ju Tony Ju · Accepted Answer · 2019-08-07T01:06:47

Per my understanding, you are exposing your custom api protected by Azure AD. If so, you need to define the application permission by editing the manifest of your api app.

manifest:

"appRoles": [
        {
            "allowedMemberTypes": [
                "Application"
            ],
            "description": "Apps that have this role have the ability to invoke my API",
            "displayName": "Can invoke my API",
            "id": "fc803414-3c61-4ebc-a5e5-cd1675c14bbb",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "myTestRole"
        }
    ]

Then the application permission will show up.

Why is “Application permissions” disabled in Azure AD's “Request API permissions”?

2 Answers