question

SunainaBidurgaShashikumar-8542 avatar image
0 Votes"
SunainaBidurgaShashikumar-8542 asked SunainaBidurgaShashikumar-8542 answered

Unable to write to Graph APIs

Hi All,

I'm currently trying to create a secret credential for my AAD applications and I'm unable to perform write operations on graph API. I have tried using Managed Identity, AAD certificate and AAD secret credential and all are giving me unauthorized error. I tried to request for Delegated permission on MS Graph APIs and it said I need admin consent for this. Is this the only way to get write permissions for this API?

azure-ad-app-registration
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image
1 Vote"
vipulsparsh-MSFT answered vipulsparsh-MSFT edited

@SunainaBidurgaShashikumar-8542 Thanks for reaching out.

Can you help us understand what is your end goal ?

If the particular API needs admin permission it lists them out while you are trying to Add the API option. You cannot work around it for that API.
Not all write API needs Admin permission though. We can help you further if you share more details.

Note : Any API which needs Admin consent, must have admin consent to work. There is no work around and avoiding this someway is more of a security risk.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SunainaBidurgaShashikumar-8542 avatar image
0 Votes"
SunainaBidurgaShashikumar-8542 answered vipulsparsh-MSFT commented

Thank you for taking time on this Vipul.

I'm trying to implement a service to rotate the client secret passwords for our AAD applications. I learnt that I don't have Application.ReadWrite.OwnedBy, Application.ReadWrite.All permission for this. However when I request for this permission on Azure portal, it said I need admin consent. The issue here is, these permissions are granted only for Production data but in my case, we have applications on our test environments which needs secret rotation. Is there anyway I can get these permissions to our non-AME
applications?

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@SunainaBidurgaShashikumar-8542 Thanks, I have updated my answer as per your question.


If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.

0 Votes 0 ·

Thanks for your answer @vipulsparsh-MSFT. I have one more question as whether this API permission can be granted to applications in PPE?

0 Votes 0 ·
vipulsparsh-MSFT avatar image vipulsparsh-MSFT SunainaBidurgaShashikumar-8542 ·

@SunainaBidurgaShashikumar-8542 You can give any API permission to any App in any environment provided you have the right set of credentials. If the API needs global admin consent, you can surely consent it with a GA account in PPE environment.

1 Vote 1 ·
SunainaBidurgaShashikumar-8542 avatar image
1 Vote"
SunainaBidurgaShashikumar-8542 answered

Thank you for your response. I'll try to get Admin consent to set the right permissions.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.