Login/Register
Why is "Application permissions" disabled in Azure AD's "Request API permissions"?
Asked Answered
Solved azureazure-active-directoryazure-ad-b2b
A

4

36

I'm trying to give a console app permission to call an API in Azure AD.

When I go to "Add permissions," "application permissions" is grayed out and I can only select "delegated permissions."

My understanding is that application permissions is right for the console app because it runs on the back-end and users don't sign into it.

From the help text for "application permissions":

Your application runs as a background service or daemon without a signed-in user.

The help text for "delegated permissions":

Your application needs to access the API as the signed-in user.

Why is "application permissions" disabled?

Azure's "Request API permissions" dialog with a disabled "application permission" button

Anglim answered 6/8, 2019 at 15:28 Comment(4)
Have you defined app permissions in the appRoles array for the API?Wavellite
You have to create tenant in azure portal. Permission grayed out because you have created application without creating tenant. Let me know if you have any more queryInfare
@MdFaridUddinKiron I definitely have a tenant...I don't think that's the issue.Anglim
@Wavellite No, I'll check the docs using those keywords.Anglim
J
41

Per my understanding, you are exposing your custom api protected by Azure AD. If so, you need to define the application permission by editing the manifest of your api app.

enter image description here

manifest:

"appRoles": [
        {
            "allowedMemberTypes": [
                "Application"
            ],
            "description": "Apps that have this role have the ability to invoke my API",
            "displayName": "Can invoke my API",
            "id": "fc803414-3c61-4ebc-a5e5-cd1675c14bbb",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "myTestRole"
        }
    ]

Then the application permission will show up.

enter image description here

Jared answered 7/8, 2019 at 1:6 Comment(12)
That was it! I manually generated the GUID for the id property of the new role (PowerShell > New-Guid > Enter). I don't know if there's a way to do it in Portal (or if it even has to be a GUID), but it accepted it.Anglim
Beware, counter-intuitively "The displayName cannot contain spaces." according to the linked doc.Kathykathye
This seems like something Microsoft should build a GUI/UI blade for, no?Evening
What is the ID that goes in the appRoles entry? The id of the API you're trying to grant access to? Or the app you're editing? or something else ... ?Halftruth
Meaning it can be literally anything?Halftruth
@Halftruth Yes, just note that the id must be a unique GUID.Jared
how is it possible that this doesn't even appear in this doc? learn.microsoft.com/en-us/azure/active-directory/develop/…Vivienviviene
@A.com It also won't show for me. Did you solve it?Klagenfurt
@Klagenfurt you actually don't give it permissions that way. It's really confusing. Instead you add your registered app to your subscription and apply a reader role, sort of through IAM. See here medium.com/@crlmas07/…Propellant
@Propellant Thanks a lot! I couldn't find that in any docsKlagenfurt
just added it as an answer so others see it hopefully @KlagenfurtPropellant
Be aware, if you want to edit the appRole that you've added via the Portal manifest editor, you'll have to first set its isEnabled property to false and hit Save. After saving, you'll then be able to edit the other properties and the editor will allow to save the changes. You'll then have to set the isEnabled property back to true. If you don't follow this, you'll see a "Permission (scope or role) cannot be deleted or updated unless disabled first." error message.Microclimatology
P
0

you actually don't give it permissions that way. It's really confusing. Instead you add your registered app to your subscription and apply a reader role, sort of through IAM. See here:

https://medium.com/@crlmas07/programmatic-access-to-azure-portal-d925ea90831e

Propellant answered 14/8, 2021 at 13:2 Comment(3)
I also found another way of creating the app without that much hassle. It is called a Service principal and automatically adds a role in the command line: learn.microsoft.com/en-us/cli/azure/… Thank you for pointing me out to the right direction. I've awarded you a bountyKlagenfurt
I am not clear here once you assign the reader role it is a reader role for the MSI on that subscription very different from granting access to a particular role for an APP. The medium article is trying to build an app that has access to all Azure resources in a subscription.Dialectician
This is giving your app permissions to access all resources under a subscription. I don't think this is the correct way to do it.Boadicea
K
0

This happens because personal accounts cannot manage administrative permissions, Microsoft has determined that personal accounts are not administrators:

To allow users to request an administrator's review and approval of an application that the user isn't allowed to consent to, enable the admin consent workflow. For example, you might do this when user consent has been disabled or when an application is requesting permissions that the user isn't allowed to grant.

Apps that sign in to personal Microsoft accounts do not support permissions that require administrator consent.

By example: Directory.ReadWrite.All require administration consentimient. Alll application permissions need administration consentimients. Only the basic permissions are enabled for a personal account.

If you try add the permission in the manifest like as:

"appRoles": [
    { "allowedMemberTypes": [ "Application" ],
...

Says:

The signInAudience property is set to PersonalMicrosoftAccounts and application permissions or app roles cannot be exposed for applications that only support personal Microsoft accounts.

When you try modify the permissions from Permission Manager menu says:

interaction_required: AADSTS16000: User account '{EUII Hidden}' from identity provider 'live.com' does not exist in tenant 'Microsoft Services' and cannot access the application '7655d621-3c86-4a9a-92f8-47244f293b55'(Microsoft_Entra_PM) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

But for add other users you need administration roles, but for administration roles you need a organization, but to create a organization with administration roles need a enterprise account.

If you try modify the identification type in the Identification section, says:

failedAdminServiceApiCall 0 undefined Error code: failedAdminServiceApiCall

In other words, you must pay for a Microsoft Azure enterprise account, have an Active Directory, and be an administrator of an organization with a paid plan to enable this option.

If you can't, you have more options, such as using the Google Drive API, it gives you full access without the need to have a paid account, but with certain limits on access use, but as long as you don't make hundreds of thousands of requests a day no problem.

Koetke answered 20/3 at 4:22 Comment(0)
C
-1

Guess to use this feature you have to create first a certificate or a client secret. This can be done directly under the following menu:

  • ManageCertificates & secrets
Calcareous answered 10/1 at 14:22 Comment(1)
Does not work. I create the new secret, but the button is disabled again.Koetke

© 2022 - 2024 — McMap. All rights reserved.