Azure-docs: Using this process in automation
Is it possible to document how we could perform this using automation? We generate app registrations dynamically and some of them need to permissions to others. I have used a hacky method but this seems like it would be cleaner if we can pass authentication of the tenant admin with the request.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 0ac43307-75d4-cb6f-e561-0dd9008f28c6
- Version Independent ID: 8fc47e76-5ee1-6aeb-73e2-c64c44e3e4ed
- Content: Microsoft identity platform scopes, permissions, and consent
- Content Source: articles/active-directory/develop/v2-permissions-and-consent.md
- Service: active-directory
- Sub-service: develop
- GitHub Login: @rwike77
- Microsoft Alias: ryanwi
scott1138
All 9 comments
@scott1138 Thanks for the feedback! We are currently investigating and will update you shortly.
AshokPeddakotla-MSFT
on 22 May 2019
@scott1138 It looks like this is possible through AAD graph API as documented here. Through MS graph API the following methods are available as well.
However I am assigning this to the author to consider this as document idea.
ManojReddy-MSFT
on 22 May 2019
Both of those links appear to point to the same location. I have been using this command:
$token = Get-AzureRMToken
$header = @{
'Authorization' = "Bearer $token"
'X-Requested-With' = 'XMLHttpRequest'
'x-ms-client-request-id' = [guid]::NewGuid()
'x-ms-correlation-id' = [guid]::NewGuid()
}
$url = "https://main.iam.ad.ext.azure.com/api/RegisteredApplications/$azureAppId/Consent?onBehalfOfAll=true"
$response = Invoke-RestMethod -Uri $url -Headers $header -Method POST -ErrorAction Stop
But it looks like the way this is executed is changing under the new app registration experience in Azure. I was hoping that the process described in the doc could be used in a similar way.
From: K N Manoj Reddy notifications@github.com
Sent: Wednesday, May 22, 2019 2:47 AM
To: MicrosoftDocs/azure-docs azure-docs@noreply.github.com
Cc: Scott Heath Scott.Heath@freemanco.com; Mention mention@noreply.github.com
Subject: [EXTERNAL] Re: [MicrosoftDocs/azure-docs] Using this process in automation (#31853)
@scott1138https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fscott1138&data=02%7C01%7Cscott.heath%40freemanco.com%7C37afd7557b254e703bfd08d6de89b045%7C25c91f35fc554202b188efdf9ef650e2%7C1%7C0%7C636941080298146711&sdata=iFS4mMyxh3TUpPXZzmP8i%2B0867Dmh8N4oD1iHQWrWNw%3D&reserved=0 It looks like this is possible through AAD graph API as documented herehttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblogs.technet.microsoft.com%2Ftfg%2F2017%2F10%2F15%2Fenglish-tips-to-manage-azure-ad-users-consent-to-applications-using-azure-ad-graph-api%2F&data=02%7C01%7Cscott.heath%40freemanco.com%7C37afd7557b254e703bfd08d6de89b045%7C25c91f35fc554202b188efdf9ef650e2%7C1%7C0%7C636941080298156708&sdata=v8DDuJqan7YbP59hlertMT5blI7G5jIYjGup8tZ8qF0%3D&reserved=0. Through MS graph API the following methods https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fblogs.technet.microsoft.com%2Ftfg%2F2017%2F10%2F15%2Fenglish-tips-to-manage-azure-ad-users-consent-to-applications-using-azure-ad-graph-api%2F&data=02%7C01%7Cscott.heath%40freemanco.com%7C37afd7557b254e703bfd08d6de89b045%7C25c91f35fc554202b188efdf9ef650e2%7C1%7C0%7C636941080298156708&sdata=v8DDuJqan7YbP59hlertMT5blI7G5jIYjGup8tZ8qF0%3D&reserved=0 are available as well.
However I am assigning this to the author to consider this as document idea.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FMicrosoftDocs%2Fazure-docs%2Fissues%2F31853%3Femail_source%3Dnotifications%26email_token%3DAHHSHHESNRNJL6GOFKT3TULPWT27VA5CNFSM4HOPIOAKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODV6GQJI%23issuecomment-494692389&data=02%7C01%7Cscott.heath%40freemanco.com%7C37afd7557b254e703bfd08d6de89b045%7C25c91f35fc554202b188efdf9ef650e2%7C1%7C0%7C636941080298166700&sdata=zeA3GnSDTwW%2FSEs4t4fQXYTPU8N0JxCSOmB33MZEmNk%3D&reserved=0, or mute the threadhttps://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAHHSHHETW3MGYZXD7EJFNIDPWT27VANCNFSM4HOPIOAA&data=02%7C01%7Cscott.heath%40freemanco.com%7C37afd7557b254e703bfd08d6de89b045%7C25c91f35fc554202b188efdf9ef650e2%7C1%7C0%7C636941080298166700&sdata=7COpF%2FbldDYHQW8C2yMx4ycNIFljLpqH7vY7fDWAgSc%3D&reserved=0.
scott1138
on 22 May 2019
Hello @scott1138 - Thank you for the feedback. I've opened ADO work item #795939 to track this work on our end. We'll update this thread when we can report on the progress. Thank you.
For now, #please-close
rwike77
on 22 Aug 2019
Hi @rwike77 - Any update on this documentation? I'm in the same situation as @scott1138. We also use the undocumented approach relying on the Powershell ClientId using a non-MFA Password grant token.
There are a few nuggets from this document which allude to this capability:
- 5th paragraph under 'Admin-restricted permissions':
> _If the application is requesting application permissions and an administrator grants these permissions via the admin consent endpoint, this grant isn't done on behalf of any specific user. Instead, the client application is granted permissions directly. These types of permissions are only used by daemon services and other non-interactive applications that run in the background._ - Under 'Using the admin consent endpoint'
> _However, there is also a dedicated admin consent endpoint you can use if you would like to proactively request that an administrator grants permission on behalf of the entire tenant. Using this endpoint is also necessary for requesting Application Permissions (which can't be requested using the authorize endpoint)._
- This leads to a GitHub sample application. However it's an attended application that relies on OAuth redirection to login the admin user & request consent.
In our scenario, we rely on unattended automation, using App + MFA User (w/ RefreshToken) Auth, both of which originate in a CSP Partner Tenant. After Tenant + Admin User + Subscription creation/assumption _(via Partner Center)_, we provision AAD Apps in the Customer Tenant which require Admin Consent _(App Definitions contain requiredResourceAccess entries.)_.
JoeBrockhaus
on 7 Oct 2019
Hi @rwike77 - I'm in the same boat as @scott1138 and @JoeBrockhaus, any update on whether unattended automation of the admin consent grant is supported? Using the undocumented https://main.iam.ad.ext.azure.com/api/RegisteredApplications/... endpoint has been unreliable.
jeremy-hicks
on 30 Mar 2020
@rwike77 @jeremy-hicks @JoeBrockhaus - updates to the az cli now include the ability to apply the grant. Check out:
az ad app permission grant
and
az ad app permission admin-consent
scott1138
on 30 Mar 2020
Thank you @scott1138! I will give that a shot.
jeremy-hicks
on 31 Mar 2020
You can also store the refresh token and keep using that, this way you can automated the process fairly reliably. An example: https://www.lieben.nu/liebensraum/2020/04/calling-graph-and-other-apis-silently-for-an-mfa-enabled-account/
jflieben
on 9 Apr 2020
Related issues
TechTrooper
·
41Comments
m-andersen
·
65Comments
jlorek
·
46Comments
renattomachado
·
42Comments
danielstocker
·
70Comments
Most helpful comment
@rwike77 @jeremy-hicks @JoeBrockhaus - updates to the az cli now include the ability to apply the grant. Check out:
az ad app permission grantand
az ad app permission admin-consent