Microsoft Graph API permission to patch Application

0
votes

When using the https://graph.microsoft.com/.default API to PATCH an Application in Azure AD it fails with the error:

"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.", ...

The call authenticates by Application permissions and the following are configured: Application.ReadWrite.All, Directory.ReadWrite.All.

$uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token";
$resourceUrl = 'https://graph.microsoft.com/.default'

$body = @{ grant_type='client_credentials';client_id=$clientId;client_secret=$clientSecret;scope=$resourceUrl; }
$result = Invoke-RestMethod -Method Post -Uri $uri -Body $body
$accessToken = $result.access_token
$authHeader = "Bearer $accessToken"

$patchBody = '{
  "displayName" : "dev2"
}'

Invoke-RestMethod -method PATCH -Uri https://graph.microsoft.com/v1.0/applications/$($app.Id) -Body $patchBody -ContentType application/json -Headers @{Authorization = $AuthHeader }

Here is the API permission:

Application API permissions Note: I do have access to perform a GET operation for the Application.

Is it possible to achieve this?

1
powershellazure-active-directoryazure-ad-graph-api

1 Answers

0
votes

The Application permission Application.ReadWrite.All is enough, make sure you grant it in Microsoft Graph, not Azure Active Directory Graph, and don't forget to click the Grant admin consent button.

enter image description here

In your script, you should not pass the $body in the last line, the $body is used to get access token. And make sure this part $($app.Id) is the ObjectId of the application.

$body = @{ grant_type='client_credentials';client_id=$clientId;client_secret=$clientSecret;scope=$resourceUrl; }

Invoke-RestMethod -method PATCH -Uri https://graph.microsoft.com/v1.0/applications/$($app.Id) -Body $body -ContentType application/json -Headers @{Authorization = $AuthHeader }

You need to use the body in this link Update application - Request body, you could store it in the .json file, then use Get-Content to get it.

In my sample, I update the appRoles, you could refer to it as below.

The patch.json file:

{
 "appRoles": [
   {
    "allowedMemberTypes": [
      "User"
    ],
    "description": "Creators can create Surveys",
    "displayName": "SurveyCreator",
    "id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
    "isEnabled": false,
    "value": "SurveyCreator"
  }
 ]
}

Script:

$uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token";
$resourceUrl = 'https://graph.microsoft.com/.default'

$body = @{ grant_type='client_credentials';client_id=$clientId;client_secret=$clientSecret;scope=$resourceUrl; }
$result = Invoke-RestMethod -Method Post -Uri $uri -Body $body
$accessToken = $result.access_token
$authHeader = "Bearer $accessToken"

$body1 = Get-Content -Path "C:\Users\joyw\Desktop\patch.json"

Invoke-RestMethod -method PATCH -Uri https://graph.microsoft.com/v1.0/applications/<Object-id> -Body $body1 -ContentType application/json -Headers @{Authorization = $AuthHeader }

After running the command, you could use GET method to check the result.

Invoke-RestMethod -method GET -Uri https://graph.microsoft.com/v1.0/applications/<Object-id> -ContentType application/json -Headers @{Authorization = $AuthHeader }

enter image description here

Update:

If you use this as the body, it will also work.

$patchBody = '{
  "displayName" : "dev2"
}'

enter image description here