Application Permissions greyed out when requesting API Permission in Azure AD

1
votes

Further to: API Permission Issue while Azure App Registration

and Why is "Application permissions" disabled in Azure AD's "Request API permissions"?

I cannot activate the Application Permissions button in the API permissions when I am trying to register an application in Active Directory. I have created the roles (several times) and ensured all of the properties are correct as described in both posts and in https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-registration - including that it the role is set for application, . I am using the default directory of my Azure account. I am the only member in my directory and am a member of global administrators.

Is there something else I am missing?

My end goal is simply to use the .Net SDK to manage the firewall on an application service using a client secret that can be distributed with an application.

enter image description here

Here is the manifest

enter image description here

2
azureazure-active-directory
This is a cloud provider 101 thing so many people need to do, but it's not obvious how to do it. A huge 0/10 for the UX team at azure.A.com

2 Answers

1
votes

Okay, so you want an app registration to manage an App Service through Azure Resource Management API as itself with client credentials flow? In that case you don't need to assign any application permissions to your app. You need to create the app, and then go to e.g. the App Service resource's Access Control (IAM) tab, and add the needed role to your app there.

The reason that the app permissions tab there is grey is because the Azure Service Management app registration (which you can't edit) does not define any app permissions. When you define an app permission in the manifest, that becomes a permission that other applications could use to call your API, not Azure Resource Management API.

1
votes

Is there something else I am missing?

The reason Applications Permissions is greyed out for you is because Azure Service Management API only allows Delegated Permissions i.e. this API will be always be executed in context of the signed-in user. In other words, a user (even if it is a Service Principal) must always be present when executing this API.

You mentioned that you wanted to execute Service Management API using a client secret. For that there are two things you would need to do:

  1. As mentioned by @junnas, you will need to assign your application (which is a Service Principal) a proper Azure RBAC role on an Azure Subscription. Please see this link for more details: https://docs.microsoft.com/en-us/azure/role-based-access-control/overview.

  2. You will need to acquire token for this Service Principal using client id and client secret. You can use ClientSecretCredential for that purpose.