question

GiovanniToraldo-2168 avatar image
0 Votes"
GiovanniToraldo-2168 asked GiovanniToraldo-2168 edited

AOBO Admin-On-Behalf-Of flow rest api

Anyone have a coed example for the AOBO flow?
What I'm trying to achieve is to manage the resources inside the customer azure subscription as admin.

So, I need a rest api flow where I ask to the user a token that authorize the admin to access to the resources inside his azure tenant, purchased on csp.

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FrankHuMSFT-3200 avatar image
0 Votes"
FrankHuMSFT-3200 answered

@GiovanniToraldo-2168 can you clarify what you mean in regards to the flow? I'm not sure I understand. It sounds like you want to ask the user to login, and then that requires the admin to grant admin consent to access the resource.

Which should just be an authorization flow with permissions that require admin consent. You will need to disable user consent per the docs below.


Please see here for more information on that:
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
https://joonasw.net/view/defining-permissions-and-roles-in-aad

Specifically from the last link note :

"type": "User" means this permission can be granted by a non-admin user.
Use "type": "Admin" if you want it to be grantable by admin only

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GiovanniToraldo-2168 avatar image
1 Vote"
GiovanniToraldo-2168 answered GiovanniToraldo-2168 edited

It sounds like you want to ask the user to login, and then that requires the admin to grant admin consent to access the resource

Nope, as admin, I would like to ask the permissions to my users to manage their azure resources.
I would like, as administrator, as admin agent user, provision resources inside my customers azure subscriptions.
It is already possible to do that using the web interface, but i cannot figure out how to using the api rest.



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.