question

NDNMD avatar image
0 Votes"
NDNMD asked azure-cxp-api edited

Graph API permissions required to use onPremisesPublishing?

Hi ,

I am following documentation to create App Proxy applications via the Graph API.
https://docs.microsoft.com/en-us/graph/application-proxy-configure-api?tabs=http#step-2-configure-application-proxy-properties

I am receiving 403 unauthorized when performing PATCH against onPremisesPublishing object.

{
"error": {
"code": "NotAdminRoleNoEnoughCustomPermission_UnauthorizedAccess",
"message": "Unauthorized Access.",
"innerError": {
"date": "2021-03-03T12:13:42",
"request-id": "",
"client-request-id": ""
}
}
}

I have delegated permissions set for:
Directory.ReadWrite.All
Applications.ReadWrite.All
OnPremisesPublishingProfiles.ReadWrite.All

Which other permissions would this API require?
Thanks!

azure-ad-app-registrationazure-ad-application-proxy
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

DanKershaw-5643 avatar image
1 Vote"
DanKershaw-5643 answered NDNMD commented

@NDNMD I suspect that the signed-in user needs to be in either Cloud Application Administrator or the Application Administrator role. With delegated permissions the service looks at both the permissions granted to the app AND the permissions that the signed-in user has. and decides whether the combo means that the user+app have access to the API operation.
See https://docs.microsoft.com/en-us/graph/auth/auth-concepts#delegated-and-application-permissions for more info on delegated permissions.

Hope this helps
Dan

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NDNMD avatar image NDNMD ·

Hi Dan - Thank you this fixed the issue. I gave the account Application Admin role in Azure AD and worked without issue.

Do you know if this API will ever be possible using application permissions? I was hoping to use system-managed identity in a logic app to help automate the creation of app proxy. Is there a way for me to give the role to the managed identity instead?

Many thanks for your help!

0 Votes 0 ·