Azure AD How To Create OAuth2PermissionGrant using Graph API (“Grant Permissions” and consent for application)

In this video, I walk through the process of creating Azure Active Directory objects such as Applications, Service Principals, and OAuth2 Permission Grants using the “Grant Permissions” button in the Azure Portal and via the Azure AD Graph API (graph.windows.net) using Postman to see the low-level REST calls.

NOTE: For new development it is recommended to use Microsoft Graph (graph.microsoft.com) instead of Azure AD Graph API (graph.windows.net) to access Azure Active Directory resources since no further enhancements are planned for Azure AD Graph API. However, in this walkthrough, I am specially covering the Azure AD Graph API approach since as of today (July 2017) it is the endpoint that is used by most of Azure Resource Management SDKs. For more info see the Microsoft Graph or the Azure AD Graph blog post.

Image for post
Image for post

Video Walkthrough

Tip: Play the video full screen.

For more details see OAuth2PermissionGrant Entity reference and Vittorio Bertocci’s Azure Active Directory Application Model book free chapter.

You will also find the following CURL code snippets useful to supplement the video.

curl -X POST \
'https://graph.windows.net/myorganization/applications?api-version=1.6' \
-H 'authorization: Bearer undefined' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{
"odata.type": "Microsoft.DirectoryServices.Application",
"objectType": "Application",
"availableToOtherTenants": false,
"displayName": "my-native2",
"publicClient": true,
"replyUrls": [
"http://localhost/"
],
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
}
]
},
{
"resourceAppId": "e9f49c6b-5ce5-44c8-925d-015017e9f7ad",
"resourceAccess": [
{
"id": "9f15d22d-3cdf-430f-ba48-f75401c0408e",
"type": "Scope"
}
]
},
{
"resourceAppId": "797f4846-ba00-4fd7-ba43-dac1f8f63013",
"resourceAccess": [
{
"id": "41094075-9dad-400e-a0bd-54e686782033",
"type": "Scope"
}
]
}
]
}
'
curl -X POST \
'https://graph.windows.net/myorganization/servicePrincipals?api-version=1.6' \
-H 'authorization: Bearer undefined' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{
"odata.type": "Microsoft.DirectoryServices.ServicePrincipal",
"objectType": "ServicePrincipal",
"appId": "77f88b0d-50d3-4d2a-aff3-0b589bf98b4a",
"displayName": "my-native2",
"servicePrincipalNames": [
"77f88b0d-50d3-4d2a-aff3-0b589bf98b4a"
],
"servicePrincipalType": "Application",
"tags": [
"WindowsAzureActiveDirectoryIntegratedApp"
]
}'
curl -X GET \
'https://graph.windows.net/myorganization/servicePrincipals?api-version=1.6&%24filter=appId%20eq%20'\''00000002-0000-0000-c000-000000000000'\''' \
-H 'authorization: Bearer undefined' \
-H 'cache-control: no-cache'
curl -X GET \
'https://graph.windows.net/myorganization/oauth2PermissionGrants?api-version=1.6&%24filter=clientId%20eq%20'\''dea63acd-f50a-48b2-902b-332e68a4a430'\''' \
-H 'authorization: Bearer undefined' \
-H 'cache-control: no-cache'
curl -X POST \
'https://graph.windows.net/myorganization/oauth2PermissionGrants?api-version=1.6' \
-H 'authorization: Bearer undefined' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{
"odata.type": "Microsoft.DirectoryServices.OAuth2PermissionGrant",
"clientId": "3c1b3a48-9997-4a51-b677-d900ca890574",
"consentType": "AllPrincipals",
"principalId": null,
"resourceId": "370582c4-911d-454c-9b55-b53599919e38",
"scope": "user_impersonation",
"startTime": "0001-01-01T00:00:00",
"expiryTime": "9000-01-01T00:00:00"
}'

https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/entity-and-complex-type-reference#oauth2permissiongrant-entity

Azure AD
{
"odata.type": "Microsoft.DirectoryServices.OAuth2PermissionGrant",
"clientId": "YOUR APPLICATIONS’S SERVICE PRINCIPAL OBJECT ID",
"consentType": "AllPrincipals",
"principalId": null,
"resourceId": "OBJECT ID OF THE SERVICE PRINCIPAL REPRESENTING AZURE AD APPLICATION IN YOUR TENANT",
"scope": "User.Read",
"startTime": "0001-01-01T00:00:00",
"expiryTime": "9000-01-01T00:00:00"
}

ADLS
{
"odata.type": "Microsoft.DirectoryServices.OAuth2PermissionGrant",
"clientId": "YOUR APPLICATIONS’S SERVICE PRINCIPAL OBJECT ID",
"consentType": "AllPrincipals",
"principalId": null,
"resourceId": " OBJECT ID OF THE SERVICE PRINCIPAL REPRESENTING ADLS MANAGEMENT APPLICATION IN YOUR TENANT ",
"scope": "user_impersonation",
"startTime": "0001-01-01T00:00:00",
"expiryTime": "9000-01-01T00:00:00"
}

ARM
{
"odata.type": "Microsoft.DirectoryServices.OAuth2PermissionGrant",
"clientId": " YOUR APPLICATIONS’S SERVICE PRINCIPAL OBJECT ID ",
"consentType": "AllPrincipals",
"principalId": null,
"resourceId": " OBJECT ID OF THE SERVICE PRINCIPAL REPRESENTING AZURE RESOURCE MANAGEMENT APPLICATION IN YOUR TENANT ",
"scope": "user_impersonation",
"startTime": "0001-01-01T00:00:00",
"expiryTime": "9000-01-01T00:00:00"
}

Thank you for watching and reading!

Please leave feedback and questions below or on Twitter https://twitter.com/ArsenVlad

Originally published at blogs.msdn.microsoft.com on July 30, 2017.

Written by

Principal Engineer / Architect, FastTrack for Azure at Microsoft

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store