Updating App Registration's Configured permission without overwritten existing values
I'm trying to update the "Configured permissions" of a given App Registration (Target App), with a permission offered by another App Registration (Source App). Source App exposes an API using user_impersonation. In fact, I have several Source Apps exposing APIs, which are added in Target App's Configured permissions.
Everything goes fine when updating Target App's Configured permissions through Azure portal. It means that already added permissions remain, and Source App's exposed permission is added. However, if I try to use Graph API, Target App's Configured permissions is updated so that only Source App's exposed permission remains. Previously existing permissions are moved to "Other permissions granted for <MY_TENANT_NAME>".
To restore the previous state, I have to add again all previously existing permissions.
This is how I'm updating Target App's Configured permissions using Graph API:
$ curl --silent -X PATCH -H "Authorization: Bearer ${TOKEN}" -H "Content-Type:application/json" \
-d '{"requiredResourceAccess":[{"resourceAppId":"<SOURCE_APP_CLIENT_ID>","resourceAccess":[{"id":"<SCOPE_ID_USER_IMPERSONATION>","type": "Scope"}]}]}' \
https://graph.microsoft.com/v1.0/applications/<TARGET_APP_OBJECT_ID>
According to this link, the call above is fine.
Any suggestions on how to do the update so that Target App's Configured permission is not overwritten?
When using the Microsoft Graph API to update the requiredResourceAccess property, the PATCH request replaces the existing permissions with the new ones, moving the previous permissions to "Other permissions granted for <TENANT_NAME>."
I have one TargetApp app registration with below permissions added under Configured permissions:
In SourceApp application, I exposed an API scope named user_impersonation as below:
To achieve your scenario via Graph API, you need to retrieve the current permissions, append the new ones, and then run PATCH request with the combined list.
In my case, I used below bash script with curl requests to update app registration's configured permissions without overwriting existing permissions:
currentPermissions=$(curl --silent -X GET -H "Authorization: Bearer ${TOKEN}" \
https://graph.microsoft.com/v1.0/applications/${TARGET_APP_OBJECT_ID} | jq '.requiredResourceAccess')
newPermission=$(jq -n \
--arg resourceAppId "${SOURCE_APP_CLIENT_ID}" \
--arg scopeId "${SCOPE_ID_USER_IMPERSONATION}" \
'{
resourceAppId: $resourceAppId,
resourceAccess: [{
id: $scopeId,
type: "Scope"
}]
}')
updatedPermissions=$(echo "${currentPermissions}" | jq --argjson newPermission "${newPermission}" '. + [$newPermission] | unique_by(.resourceAppId)')
curl --silent -X PATCH -H "Authorization: Bearer ${TOKEN}" -H "Content-Type: application/json" \
-d '{"requiredResourceAccess":'"${updatedPermissions}"'}' \
https://graph.microsoft.com/v1.0/applications/${TARGET_APP_OBJECT_ID}
echo "Permission added successfully."
Response:
To confirm that, I checked the same in Portal where SourceApp permission added successfully without overwriting existing permissions:
- Generating token for Fabric Rest api using client secret
- Authenticate to SQL Server with Azure app service managed identity through group
- Why is my Azure AD token request returning HTTP 400 consent error for API permissions that have been granted?
- How to set Azure MSAL SSO for my Nextjs14 app using Approuter and next-auth
- Unable to Connect to Azure PostgreSQL Database via Point-to-Site VPN with Azure Active Directory on macOS
- How do I retrieve the service principal password after creation using the azure cli?
- Cannot create Azure B2C Tenant
- Accessing Graph API from multi tenant App Function via identity
- My Azure AD B2C User Flow is not returning a token on jwt.ms
- AADSTS65001: The user or administrator has not consented to use the application with ID <app-id>
- AccountEnabled user property from Azure AD returning null
- Azure B2C user flow without an email
- How to use Azure Data Factory to take Business Central data and put into Azure SQL DB?
- Triggering a PowerAutomate desktop flow, using apis, fails due to access issues
- Azure - should the creator of a resource have owner rights?
- Scope is not being added to Access Token returned from Azure Ad
- The required field 'nonce' is missing from the credential. Ensure that you have all the necessary parameters for the login request. [Azure Open ID]
- Exchanging azure AD token with Identity server token
- Website authenticating users against AAD: can the OpenId document be provided offline to the consuming website?
- how to limit code verification email Spaming in Azure B2C
- Custom Claims in a Multitenant Microsoft Entra App
- Get error "You do not have elevated access" when try to postpone MFA enforcement
- How to bulk create/import users in Azure AD so that all of them can have single sign on to my SF sandbox?
- How can I "Get Microsoft Teams Users" Using of Microsoft Graph API
- Azure AD Authentication 401 error "the audience is invalid" AddAzureADBearer .Net Core Web Api
- AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption
- How to get users info list from Azure AD app by calling Microsoft Graph API from ASP.NET Core Web API?
- Updating App Registration's Configured permission without overwritten existing values
- Missing Environment Variable 'BOT_ID' While Registering Microsfot Teams Bot App, while using Teams tool Kit template
- Error on integration with SSO Azure AD (BrowserAuthError: uninitialized_public_client_application)