Grant Admin Consent using Microsoft Graph API - Java

Question

I have created an application using graph API and I have assigned them permission - both delegated and application...

    ServicePrincipal servicePrincipal = graphClient.servicePrincipals(resSerPrinId)
            .buildRequest()
            .get();
    
    List<AppRole> appRoles = servicePrincipal.appRoles;
    List<PermissionScope> scopes = servicePrincipal.oauth2PermissionScopes;
    
    List<ResourceAccess> raList = new ArrayList<ResourceAccess>();
    
    for (AppRole appRole : appRoles) {
        ResourceAccess access = new ResourceAccess();
        access.id = appRole.id;
        access.type = "Role";
        raList.add(access);
    }
    
    System.out.println("Roles added...");
    
    for (PermissionScope permissionScope : scopes) {
        ResourceAccess access = new ResourceAccess();
        access.id = permissionScope.id;
        access.type = "Scope";
        raList.add(access);
    }
    
    System.out.println("Scopes added...");
    
    RequiredResourceAccess reqResAccess = new RequiredResourceAccess();
    reqResAccess.resourceAccess = raList;
    reqResAccess.resourceAppId = resSerPrinAppClientId;
    
    List<RequiredResourceAccess> rraList = new ArrayList<RequiredResourceAccess>();
    rraList.add(reqResAccess);
    
    Application application = graphClient.applications(clientAppObjId)
            .buildRequest()
            .get();
    
    application.requiredResourceAccess = rraList;
    
    graphClient.applications(clientAppObjId)
    .buildRequest()
    .patch(application);

Here in the code above, resSerPrinId is resource service principal Id which has app roles in manifest and a scope in "expose an api" section...

So I am pulling out appRoles and oauth2Permission from that resource service principal and sending them to client service principal...

In the UI I am seeing that the permissions do not have grant...

Is it possible to give them admin grant using some graph API or or manually loading these permission and then giving them admin grant...or do I need to always use the UI to do it...?

Answer 1

So we have basically 2 types of permissions - roles (application)/scope (delegated)

So to provide "grant admin consent" to your delegated permissions, use the below snippet

GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();

OAuth2PermissionGrant oAuth2PermissionGrant = new OAuth2PermissionGrant();
oAuth2PermissionGrant.clientId = "clientId-value";
oAuth2PermissionGrant.consentType = "consentType-value";
oAuth2PermissionGrant.principalId = "principalId-value";
oAuth2PermissionGrant.resourceId = "resourceId-value";
oAuth2PermissionGrant.scope = "scope-value";

graphClient.oauth2PermissionGrants()
    .buildRequest()
    .post(oAuth2PermissionGrant);

Here is the link to documentation - Read about oAuth2PermissionGrant here

Now to provide "grant admin consent" to application permissions, use the below snippet...

GraphServiceClient graphClient = GraphServiceClient.builder().authenticationProvider( authProvider ).buildClient();

AppRoleAssignment appRoleAssignment = new AppRoleAssignment();
appRoleAssignment.principalId = UUID.fromString("33ad69f9-da99-4bed-acd0-3f24235cb296");
appRoleAssignment.resourceId = UUID.fromString("9028d19c-26a9-4809-8e3f-20ff73e2d75e");
appRoleAssignment.appRoleId = UUID.fromString("ef7437e6-4f94-4a0a-a110-a439eb2aa8f7");

graphClient.servicePrincipals("9028d19c-26a9-4809-8e3f-20ff73e2d75e").appRoleAssignedTo()
    .buildRequest()
    .post(appRoleAssignment);

Here is the link to documentation - Read more about AppRoleAssignment here

You have to use these two bad boys right here and its done - just use the correct Ids (do not confuse client id with client principal id and likewise)

Basically the flow is - get all permissions (both types loaded up using Required Resource Access - then add admin grants to all the permissions using above code. Hope this helps. comment if you need more help.