How to make the consentToApp in Azure AD REST API work?

[DanijelMalik]

I've been trying to automate what the Grant admin consent for ... button does without any luck.

It feels like the appId in the JWT token "signalises" the API whether to accept the version 2.0 or reject. The accepted appId does not exist in my AAD hence I can't create a secret for it.

If I grab the token from a browser request and make a POST request with the following body everything works fine and I get back 204.

POST: https://graph.windows.net/myorganization/consentToApp?api-version=2.0

{
	"clientAppId": "{targetAppId}",
	"onBehalfOfAll": true,
	"checkOnly": false,
	"tags": []
}

But if I a token generated by a POST to https://login.microsoftonline.com/{{tenantId}}/oauth2/token the API throws an error.

{
  "odata.error": {
    "code": "Request_InvalidDataContractVersion",
    "message": {
      "lang": "en",
      "value": "The specified api-version is invalid. The value must exactly match a supported version."
    },
    "requestId": "577f7eeb-4eb0-4106-92f7-fc3440ec82d9",
    "date": "2019-09-26T00:34:49"
  }
}

Anyway, the bottom line is: I need to automate what the Grand admin consent for ... does. Maybe I'm down the wrong path and there's a better way of doing it.

All suggestions are more than welcome.

[souravmishra-msft]

@DanijelMalik , This is interesting. I am working on this, do allow us sometime so that we can share our findings on this.

[DanijelMalik]

It might be worth sharing some more details.

I have a master application that creates child apps. Those child apps may require some API permissions e.g. Read All Users, hence an Admin consent is required. But I don't want to go back and manually click the button each time this is needed.

The master app has a specific flow and would under what circumstances to grant Admin consent, but I'm struggling to get this working.

[souravmishra-msft]

@DanijelMalik, Unfortunately we don't have a API or Powershell cmdlet to accomplish it

Only ways are using the UI i,.e Portal.azure.com and Grant Permissions or using the Authorize URL

Sample consent URL:

V1 Endpoint:
https://login.windows.net/{tenantId}/oauth2/authorize?response_type=code&redirect_uri=http%3A%2F%2Flocalhost&prompt=admin_consent&client_id={applicationId}&resource=https%3A%2F%2Fgraph.windows.net

V2 Endpoint:
https://login.microsoftonline.com/common/adminconsent?client_id={applicationId}&state=12345&redirect_uri=http://localhost/myapp/permissions

But that’s a feature that has been requested and you can also vote for it at the following location

https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/31562305-ability-to-grant-permissions-via-api-or-powershell

Hope this helps.

[DanijelMalik]

Thanks for your answer. It doesn't help, but I appreciate it anyway :)
So roughly speaking, how far away are we from having a proper API for this?

[souravmishra-msft]

@DanijelMalik, I totally understand your frustration, and this is a widely requested feature. If you check this site https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/31562305-ability-to-grant-permissions-via-api-or-powershell, you would see, 131 customers have voted for the same and this feature is in review, but no ETA on this yet. But surely its expected to be served soon.

It would be great, if you can do an upvote on that above link.

[DanijelMalik]

I already voted. I wish I had a thousand more ;)

[souravmishra-msft]

@DanijelMalik, I am going ahead and closing this thread for now. But feel free to re-open this whenever you want any further help on this.

I wish I could help you with some more details, but unfortunately its a roadblock for now.

Hopefully, we have this implemented soon, so that it helps a large customer base in automating the consent work.

[thbkthf]

For me it works, if I call the New-AzureADServiceAppRoleAssignment from the AzureAD PS module.

$scp = Get-AzureADServicePrincipal -Filter "displayName eq 'yourServicePrincipal'"

$app = Get-AzureADServicePrincipal -Filter "displayName eq 'Microsoft Graph'"

$appRole = $app.AppRoles | Where-Object { $_.value -eq "User.Invite.All" }

New-AzureADServiceAppRoleAssignment -ObjectId $scp.objectid -PrincipalId $scp.ObjectId -ResourceId $app.ObjectId -Id $appRole.Id

[belaie]

we want consentToApp being invoked by a service principal non-interactive, from Microsoft graph api, how can we achieve this?