Azure AD How To Create OAuth2PermissionGrant using Graph API ("Grant Permissions" and consent for application)


In this video, I walk through the process of creating Azure Active Directory objects such as Applications, Service Principals, and OAuth2 Permission Grants using the "Grant Permissions" button in the Azure Portal and via the Azure AD Graph API (graph.windows.net) using Postman to see the low-level REST calls.

NOTE: For new development it is recommended to use Microsoft Graph (graph.microsoft.com) instead of Azure AD Graph API (graph.windows.net) to access Azure Active Directory resources since no further enhancements are planned for Azure AD Graph API. However, in this walkthrough, I am specially covering the Azure AD Graph API approach since as of today (July 2017) it is the endpoint that is used by most of Azure Resource Management SDKs. For more info see the Microsoft Graph or the Azure AD Graph blog post.

image

Video Walkthrough

Tip: Play the video full screen.



For more details see OAuth2PermissionGrant Entity reference and Vittorio Bertocci's Azure Active Directory Application Model book free chapter.

You will also find the following CURL code snippets useful to supplement the video.

Create Native App

curl -X POST \
  'https://graph.windows.net/myorganization/applications?api-version=1.6' \
  -H 'authorization: Bearer undefined' \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -d '{
  "odata.type": "Microsoft.DirectoryServices.Application",
  "objectType": "Application",
  "availableToOtherTenants": false,
  "displayName": "my-native2",
  "publicClient": true,
  "replyUrls": [
    "http://localhost/"
  ],
  "requiredResourceAccess": [
    {
      "resourceAppId": "00000002-0000-0000-c000-000000000000",
      "resourceAccess": [
        {
          "id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
          "type": "Scope"
        }
      ]
    },
    {
      "resourceAppId": "e9f49c6b-5ce5-44c8-925d-015017e9f7ad",
      "resourceAccess": [
        {
          "id": "9f15d22d-3cdf-430f-ba48-f75401c0408e",
          "type": "Scope"
        }
      ]
    },
    {
      "resourceAppId": "797f4846-ba00-4fd7-ba43-dac1f8f63013",
      "resourceAccess": [
        {
          "id": "41094075-9dad-400e-a0bd-54e686782033",
          "type": "Scope"
        }
      ]
    }
  ]
}
'

Create Service Principal

curl -X POST \
  'https://graph.windows.net/myorganization/servicePrincipals?api-version=1.6' \
  -H 'authorization: Bearer undefined' \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -d '{
    "odata.type": "Microsoft.DirectoryServices.ServicePrincipal",
    "objectType": "ServicePrincipal",
    "appId": "77f88b0d-50d3-4d2a-aff3-0b589bf98b4a",
    "displayName": "my-native2",
    "servicePrincipalNames": [
        "77f88b0d-50d3-4d2a-aff3-0b589bf98b4a"
    ],
    "servicePrincipalType": "Application",
    "tags": [
        "WindowsAzureActiveDirectoryIntegratedApp"
    ]
}'

Get Service Principals

curl -X GET \
  'https://graph.windows.net/myorganization/servicePrincipals?api-version=1.6&%24filter=appId%20eq%20'\''00000002-0000-0000-c000-000000000000'\''' \
  -H 'authorization: Bearer undefined' \
  -H 'cache-control: no-cache'

Get OAuth2PermissionGrants

curl -X GET \
  'https://graph.windows.net/myorganization/oauth2PermissionGrants?api-version=1.6&%24filter=clientId%20eq%20'\''dea63acd-f50a-48b2-902b-332e68a4a430'\''' \
  -H 'authorization: Bearer undefined' \
  -H 'cache-control: no-cache' 

Create OAuth2PermissionGrant

curl -X POST \
  'https://graph.windows.net/myorganization/oauth2PermissionGrants?api-version=1.6' \
  -H 'authorization: Bearer undefined' \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -d '{
    "odata.type": "Microsoft.DirectoryServices.OAuth2PermissionGrant",
    "clientId": "3c1b3a48-9997-4a51-b677-d900ca890574",
    "consentType": "AllPrincipals",
    "principalId": null,
    "resourceId": "370582c4-911d-454c-9b55-b53599919e38",
    "scope": "user_impersonation",
    "startTime": "0001-01-01T00:00:00",
    "expiryTime": "9000-01-01T00:00:00"
}'

OAuth2PermissionGrant Entity Reference

https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/entity-and-complex-type-reference#oauth2permissiongrant-entity

Azure AD
{
    "odata.type": "Microsoft.DirectoryServices.OAuth2PermissionGrant",
    "clientId": "YOUR APPLICATIONS’S SERVICE PRINCIPAL OBJECT ID",
    "consentType": "AllPrincipals",
    "principalId": null,
    "resourceId": "OBJECT ID OF THE SERVICE PRINCIPAL REPRESENTING AZURE AD APPLICATION IN YOUR TENANT",
    "scope": "User.Read",
    "startTime": "0001-01-01T00:00:00",
    "expiryTime": "9000-01-01T00:00:00"
}
 
ADLS
{
    "odata.type": "Microsoft.DirectoryServices.OAuth2PermissionGrant",
    "clientId": "YOUR APPLICATIONS’S SERVICE PRINCIPAL OBJECT ID",
    "consentType": "AllPrincipals",
    "principalId": null,
    "resourceId": " OBJECT ID OF THE SERVICE PRINCIPAL REPRESENTING ADLS MANAGEMENT APPLICATION IN YOUR TENANT ",
    "scope": "user_impersonation",
    "startTime": "0001-01-01T00:00:00",
    "expiryTime": "9000-01-01T00:00:00"
}
 
ARM
{
    "odata.type": "Microsoft.DirectoryServices.OAuth2PermissionGrant",
    "clientId": " YOUR APPLICATIONS’S SERVICE PRINCIPAL OBJECT ID ",
    "consentType": "AllPrincipals",
    "principalId": null,
    "resourceId": " OBJECT ID OF THE SERVICE PRINCIPAL REPRESENTING AZURE RESOURCE MANAGEMENT APPLICATION IN YOUR TENANT ",
    "scope": "user_impersonation",
    "startTime": "0001-01-01T00:00:00",
    "expiryTime": "9000-01-01T00:00:00"
}

Thank you for watching and reading!

Please leave feedback and questions below or on Twitter https://twitter.com/ArsenVlad

Comments (0)

Skip to main content