Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

API Permission Issue while Azure App Registration

I have an API App registered under Azure Active Directory -> App Registrations. This API App is exposing endpoints which will be accessed by clients from within the organization. The clients are not users but background services who will accessing the endpoints.

When I am trying to grant API Permission for the clients to access the API App I see the Application Permission as disabled/greyed out. Do I need to do something different when setting the API Permissions.

Please see the attached picture.

Has anyone come across this issue or am I doing something silly. Azure Admin in our organization told me he can't help with this as he hasn't see anything like this before.

enter image description here

like image 727
ATO Avatar asked Jun 11 '19 22:06

ATO


People also ask

How do I grant API permissions in Azure?

Select Azure Active Directory > App registrations, and then select your client application. Select API permissions > Add a permission > Microsoft Graph > Application permissions.

How do I get permission for API?

API permissionsChoose Add a permission, and under Microsoft APIs, select Microsoft Graph, and then select Delegated permissions. Add the following permissions: User. Read - allows your application to sign-in your user.

How do I register an API on Azure?

Sign in to the Azure portal. If you have access to multiple tenants, use the Directories + subscriptions filter in the top menu to select the tenant containing your client app's registration. Select Azure Active Directory > App registrations, and then select your API's app registration.


1 Answers

Most probably you haven't defined any roles (i.e. Application Permissions) for your app registration and hence when you try to add permissions for the client application you only see an option for Delegated Permissions.

How to define Roles/Application Permissions

Go to Azure Portal > Azure AD > App Registrations > Registration for your API application > Manifest

Find the "appRoles" collection in Manifest JSON and if it's empty, add your own appRoles here. Example:

"appRoles": [
        {
            "allowedMemberTypes": [
                "Application"
            ],
            "description": "Apps that have this role have the ability to invoke my API",
            "displayName": "Can invoke my API",
            "id": "fc803414-3c61-4ebc-a5e5-cd1675c14bbb",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "MyAPIValidClient"
        }
    ]

Notice that I have kept "allowedMemberTypes" as "Application" so that it can only be used as Application Permission. Other possibility is to have "User" as the allowedMemberType, but that is for a different use case when you want to assign roles to users and that's not what you're looking for.

Now if you go to the client application registration to which you want to grant this role (Application Permission), you should be able to see "Application Permissions" as enabled.

You should also be able to see the Application Permission "MyAPIValidClient" with it's description available to be selected. Now I have defined only one Application Permission in example above, but as you can see it's an array, so you can define multiple ones as well. Just make sure you generate new GUID's to be assigend as "id" for each Application Permission.

enter image description here

like image 110
Rohit Saigal Avatar answered Nov 08 '22 02:11

Rohit Saigal