Azure AD How To Create OAuth2PermissionGrant using Graph API (“Grant Permissions” and consent for application)
In this video, I walk through the process of creating Azure Active Directory objects such as Applications, Service Principals, and OAuth2 Permission Grants using the “Grant Permissions” button in the Azure Portal and via the Azure AD Graph API (graph.windows.net) using Postman to see the low-level REST calls.
NOTE: For new development it is recommended to use Microsoft Graph (graph.microsoft.com) instead of Azure AD Graph API (graph.windows.net) to access Azure Active Directory resources since no further enhancements are planned for Azure AD Graph API. However, in this walkthrough, I am specially covering the Azure AD Graph API approach since as of today (July 2017) it is the endpoint that is used by most of Azure Resource Management SDKs. For more info see the Microsoft Graph or the Azure AD Graph blog post.
Video Walkthrough
Tip: Play the video full screen.
For more details see OAuth2PermissionGrant Entity reference and Vittorio Bertocci’s Azure Active Directory Application Model book free chapter.
You will also find the following CURL code snippets useful to supplement the video.
Create Native App
curl -X POST \
'https://graph.windows.net/myorganization/applications?api-version=1.6' \
-H 'authorization: Bearer undefined' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{
"odata.type": "Microsoft.DirectoryServices.Application",
"objectType": "Application",
"availableToOtherTenants": false,
"displayName": "my-native2",
"publicClient": true,
"replyUrls": [
"http://localhost/"
],
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
}
]
},
{
"resourceAppId": "e9f49c6b-5ce5-44c8-925d-015017e9f7ad",
"resourceAccess": [
{
"id": "9f15d22d-3cdf-430f-ba48-f75401c0408e",
"type": "Scope"
}
]
},
{
"resourceAppId": "797f4846-ba00-4fd7-ba43-dac1f8f63013",
"resourceAccess": [
{
"id": "41094075-9dad-400e-a0bd-54e686782033",
"type": "Scope"
}
]
}
]
}
'
Create Service Principal
curl -X POST \
'https://graph.windows.net/myorganization/servicePrincipals?api-version=1.6' \
-H 'authorization: Bearer undefined' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{
"odata.type": "Microsoft.DirectoryServices.ServicePrincipal",
"objectType": "ServicePrincipal",
"appId": "77f88b0d-50d3-4d2a-aff3-0b589bf98b4a",
"displayName": "my-native2",
"servicePrincipalNames": [
"77f88b0d-50d3-4d2a-aff3-0b589bf98b4a"
],
"servicePrincipalType": "Application",
"tags": [
"WindowsAzureActiveDirectoryIntegratedApp"
]
}'
Get Service Principals
curl -X GET \
'https://graph.windows.net/myorganization/servicePrincipals?api-version=1.6&%24filter=appId%20eq%20'\''00000002-0000-0000-c000-000000000000'\''' \
-H 'authorization: Bearer undefined' \
-H 'cache-control: no-cache'
Get OAuth2PermissionGrants
curl -X GET \
'https://graph.windows.net/myorganization/oauth2PermissionGrants?api-version=1.6&%24filter=clientId%20eq%20'\''dea63acd-f50a-48b2-902b-332e68a4a430'\''' \
-H 'authorization: Bearer undefined' \
-H 'cache-control: no-cache'
Create OAuth2PermissionGrant
curl -X POST \
'https://graph.windows.net/myorganization/oauth2PermissionGrants?api-version=1.6' \
-H 'authorization: Bearer undefined' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '{
"odata.type": "Microsoft.DirectoryServices.OAuth2PermissionGrant",
"clientId": "3c1b3a48-9997-4a51-b677-d900ca890574",
"consentType": "AllPrincipals",
"principalId": null,
"resourceId": "370582c4-911d-454c-9b55-b53599919e38",
"scope": "user_impersonation",
"startTime": "0001-01-01T00:00:00",
"expiryTime": "9000-01-01T00:00:00"
}'
OAuth2PermissionGrant Entity Reference
Azure AD
{
"odata.type": "Microsoft.DirectoryServices.OAuth2PermissionGrant",
"clientId": "YOUR APPLICATIONS’S SERVICE PRINCIPAL OBJECT ID",
"consentType": "AllPrincipals",
"principalId": null,
"resourceId": "OBJECT ID OF THE SERVICE PRINCIPAL REPRESENTING AZURE AD APPLICATION IN YOUR TENANT",
"scope": "User.Read",
"startTime": "0001-01-01T00:00:00",
"expiryTime": "9000-01-01T00:00:00"
}
ADLS
{
"odata.type": "Microsoft.DirectoryServices.OAuth2PermissionGrant",
"clientId": "YOUR APPLICATIONS’S SERVICE PRINCIPAL OBJECT ID",
"consentType": "AllPrincipals",
"principalId": null,
"resourceId": " OBJECT ID OF THE SERVICE PRINCIPAL REPRESENTING ADLS MANAGEMENT APPLICATION IN YOUR TENANT ",
"scope": "user_impersonation",
"startTime": "0001-01-01T00:00:00",
"expiryTime": "9000-01-01T00:00:00"
}
ARM
{
"odata.type": "Microsoft.DirectoryServices.OAuth2PermissionGrant",
"clientId": " YOUR APPLICATIONS’S SERVICE PRINCIPAL OBJECT ID ",
"consentType": "AllPrincipals",
"principalId": null,
"resourceId": " OBJECT ID OF THE SERVICE PRINCIPAL REPRESENTING AZURE RESOURCE MANAGEMENT APPLICATION IN YOUR TENANT ",
"scope": "user_impersonation",
"startTime": "0001-01-01T00:00:00",
"expiryTime": "9000-01-01T00:00:00"
}
Thank you for watching and reading!
Please leave feedback and questions below or on Twitter https://twitter.com/ArsenVlad
Originally published at blogs.msdn.microsoft.com on July 30, 2017.