question

GiovanniToraldo-2168 avatar image
0 Votes"
GiovanniToraldo-2168 asked ·

AOBO Admin-On-Behalf-Of flow rest api

Anyone have a coed example for the AOBO flow? What I'm trying to achieve is to manage the resources inside the customer azure subscription as admin.

So, I need a rest api flow where I ask to the user a token that authorize the admin to access to the resources inside his azure tenant, purchased on csp.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FrankHuMSFT-3200 avatar image
0 Votes"
FrankHuMSFT-3200 answered ·

@GiovanniToraldo-2168 can you clarify what you mean in regards to the flow? I'm not sure I understand. It sounds like you want to ask the user to login, and then that requires the admin to grant admin consent to access the resource.

Which should just be an authorization flow with permissions that require admin consent. You will need to disable user consent per the docs below.

Please see here for more information on that: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-user-consent https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent https://joonasw.net/view/defining-permissions-and-roles-in-aad

Specifically from the last link note :

"type": "User" means this permission can be granted by a non-admin user. Use "type": "Admin" if you want it to be grantable by admin only

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GiovanniToraldo-2168 avatar image
0 Votes"
GiovanniToraldo-2168 answered ·

It sounds like you want to ask the user to login, and then that requires the admin to grant admin consent to access the resource

Nope, as admin, I would like to ask the permissions to my users to manage their azure resources.
I would like, as administrator, as admin agent user, provision resources inside my customers azure subscriptions.
It is already possible to do that using the web interface, but i cannot figure out how to using the api rest.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.