Difference for application registration in azure ad b2c

0
votes

I want to delete azure ad b2c user from azure ad b2c portal, iam using graph api for this purpose. So Manually registered an application in azure ad b2c portal and set permission to application.See below enter image description here

and its working fine.Then i tried to automate the app registration through graph api and set the permission then the app permission is look like below. enter image description here type application is changed to deletegated. And i can't delete to the user through graph api due to insufficient permission .BELOW IS MY CODE to grant the permission. (POWER SHELL)

STEPS

  1. Created an application manually and added some permissions(Application.ReadWrite.All,Application.ReadWrite.OwnedBy,Directory.ReadWrite.All,Policy.ReadWrite.TrustFramework,TrustFrameworkKeySet.Read.All,TrustFrameworkKeySet.ReadWrite.All,User.Read.All)
  2. Then i write below script using above created application client id and client secret(for calling graph api).
$tenantid ='xxxxxxxxxxxxxxxx'
$appid='xxxxxxxxxxxxxxxxxxxx'
$appsecret = 'xxxxxxxxxxxxxxxx'  
$Uri = 'https://login.microsoftonline.com/' + $tenantid +'/oauth2/v2.0/token'
    
$Form = @{
        client_id     = $appid
        scope         = 'https://graph.microsoft.com/.default'
        client_secret = $appsecret
        grant_type    = 'client_credentials'
      }
$Result = Invoke-RestMethod -Uri $Uri -Method Post -Form $Form -contenttype 'application/json'
$access_token=$Result.access_token
$url = 'https://graph.microsoft.com/v1.0/applications'
$headers = @{Authorization = "Bearer $access_token" }
$method = "Post"
$json = $bodyjsonstring | ConvertFrom-Json | ConvertTo-Json -Depth 10
$response = Invoke-RestMethod -Uri $url -Body $json -Method $method -Headers $headers -contenttype 'application/json'
  1. Then set a service principle for app
$appId = $response.appId
$urlforappsp = 'https://graph.microsoft.com/v1.0/serviceprincipals'
  $dataforsp = '{
  "appId": "' + $appId + '",
}'
  $headers = @{Authorization = "Bearer $access_token" }
  $method = "Post"
  $json = $bodyjsonstring | ConvertFrom-Json | ConvertTo-Json -Depth 10
  # Write-Host $json
  $response = Invoke-RestMethod -Uri $urlforappsp -Body $json -Method $method -Headers $headers -contenttype 'application/json'
  $responsesp = HTTP_POST_CALL -bearer_token $accesstoken -url $urlforappsp -bodyjsonstring $dataforsp

4.Then i call the link

response is

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#applications/$entity",
    "id": "xxxxxxxxx",
    "deletedDateTime": null,
    "appId": "xxxxxxxx",
    "applicationTemplateId": null,
    "createdDateTime": "2020-12-14T18:23:26Z",
    "displayName": "userapp",
    "description": null,
    "groupMembershipClaims": null,
    "identifierUris": [],
    "isDeviceOnlyAuthSupported": null,
    "isFallbackPublicClient": null,
    "notes": null,
    "optionalClaims": null,
    "publisherDomain": "xxxxxxxxxxxx",
    "signInAudience": "AzureADMyOrg",
    "tags": [],
    "tokenEncryptionKeyId": null,
    "verifiedPublisher": {
        "displayName": null,
        "verifiedPublisherId": null,
        "addedDateTime": null
    },
    "spa": {
        "redirectUris": []
    },
    "defaultRedirectUri": null,
    "addIns": [],
    "api": {
        "acceptMappedClaims": null,
        "knownClientApplications": [],
        "requestedAccessTokenVersion": null,
        "oauth2PermissionScopes": [],
        "preAuthorizedApplications": []
    },
    "appRoles": [],
    "info": {
        "logoUrl": null,
        "marketingUrl": null,
        "privacyStatementUrl": null,
        "supportUrl": null,
        "termsOfServiceUrl": null
    },
    "keyCredentials": [],
    "parentalControlSettings": {
        "countriesBlockedForMinors": [],
        "legalAgeGroupRule": "Allow"
    },
    "passwordCredentials": [],
    "publicClient": {
        "redirectUris": []
    },
    "requiredResourceAccess": [],
    "web": {
        xxxxx
        }
    }
}
 requiredResourceAccess and approle are empty.then how do i call

"/appRoleAssignedTo"

1
azuremicrosoft-graph-apiazure-ad-b2c
can you please provide the correlation id and timestamp of error messageSruthi J
Does this answer your question? Add or Delete an app's API permissions (requiredResourceAccess) via Microsoft Graph Be aware that granting consent is a separate API call.Alex AIT
@AlexAIT .How do i change the type to delegation to application through your answer ?.i didn't see any wayjune alex
@SruthiJ-MSFT Identity Authorization_RequestDenied↵Message: Insufficient privileges to complete the operation.↵Inner error:↵ AdditionalData:↵ date: 2020-12-11T05:11:00june alex
Do you want to use MS graph api to modify your permission type?Carl Zhao

1 Answers

1
votes

I tried to call Update application graph api to modify the permission type by changing the requiredResourceAccess attribute set. Although it succeeded, and it did change the permission type to application permission in Azure portal, it also changed the permission name to id. , So I do not recommend you to use this method.

At the same time, I found that you are calling https://graph.microsoft.com/v1.0/oauth2PermissionGrants api when automating permissions. This api is usually used to assign delegation permissions, so if you are assigning application permissions, don’t use it.

The easiest way is to call the appRoleAssignment graph api, which will directly assign application permissions to your application.

You can refer to this answer to understand the meaning of identifiers.

Update:

Navigate to your AD App in the portal -> Manifest -> requiredResourceAccess, get the resourceAppId and id, note the id down as appRoleId.

enter image description here