Microsoft-graph-docs: Programatically grant application permissions via API

Created on 13 Mar 2019 · 8Comments · Source: microsoftgraph/microsoft-graph-docs

Is the Create (POST) method missing from this documentation? It is not clear how to create this entity or apply it to an application.

I've tried using the POST and PATCH applications methods to add an oauth2PermissionScope object to an application, but nothing happens on the portal UI, it still shows the permissions as ungranted.

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: 3a9ff838-139b-fb2a-72e6-0b376b69bf58
Version Independent ID: 63980aa5-c250-8b77-ba44-cc08fe7c6c2d
Content: oAuth2PermissionGrant resource type - Microsoft Graph beta
Content Source: api-reference/beta/resources/oauth2permissiongrant.md
Product: non-product-specific
GitHub Login: @MSGraphDocsvTeam
Microsoft Alias: MSGraphDocsVteam

app model

Source

iamlothian

👍1

Most helpful comment

Can confirm POST and PATCH does work against https://graph.microsoft.com/beta/oauth2PermissionGrants with an application having the app permission DelegatedPermissionGrant.ReadWrite.All.

What doesn't make sense is adding/updating/removing application permissions can be done against "https://graph.microsoft.com/beta/serviceprincipals/{id}/appRoleAssignments", but the same cannot be said for "https://graph.microsoft.com/beta/serviceprincipals/{id}/oauth2PermissionGrants"

dotMikeH on 27 Jan 2020

👍2

All 8 comments

Facing the same issue. Looks like this was / is possible via the Azure AD Graph: https://blogs.msdn.microsoft.com/arsen/2017/07/30/azure-ad-how-to-create-oauth2permissiongrant-using-graph-api-grant-permissions-and-consent-for-application/
Any news on when granting application permission consent will be available via Microsoft Graph?

benmenesi on 24 Apr 2019

any update on this? :)

jakobli on 17 May 2019

👍1

Even with the application permission DelegatedPermissionGrant.ReadWrite.All granted on the app I'm authenticating to, I am also facing the issue with not being able to grant delegated permissions. It's weird that we are able to grant application permissions, but not delegated.

This is the error any time I try to add: Write requests are only supported on contained entities

dotMikeH on 10 Jan 2020

I would also like to understand when the API will be published to allow creation. If there is no plan to do so, it would be helpful to understand what the rationale for that is. We've disabled the ability for users to consent to delegated permission requests but this has greatly increased the burden on our operations team and we'd like to have the option to automate this if we wish.

JoeKaplan on 25 Jan 2020

@sureshja Please can you update the documentation here.

Add a topic to create an oauth2PermissionGrant using POST ../beta/oauth2PermissionGrants.
Remove the topic to PATCH. I don't believe this is supported.

dkershaw10 on 27 Jan 2020

❤1

Dan can you verify that this currently works through the beta API endpoint using POST and the issue here is just a doc bug? I was looking at the .NET beta SDK and noticed that there is a "CreateAsync" method on the OAuth2PermissionGrantRequest class so it appears that this might already work as expected but I didn't get a chance to test it yet.

JoeKaplan on 27 Jan 2020

Can confirm POST and PATCH does work against https://graph.microsoft.com/beta/oauth2PermissionGrants with an application having the app permission DelegatedPermissionGrant.ReadWrite.All.

dotMikeH on 27 Jan 2020

👍2

@dotMikeH Just to circle back here: thanks for you feedback. The lack of symmetry between these APIs is something we're considering as we look to what changes we'll make in future versions. At this point we don't have any concrete timelines for any changes.

Just to recap where we are today: