question

LuisSanchez-1146 avatar image
0 Votes"
LuisSanchez-1146 asked amanpreetsingh-msft commented

Microsoft Graph API permissions not works, but yes Azure Active Directory Graph

Hi,

We have configured an app registration in our Azure AD, and we tried added some API permissions to know what we need to execute:

 az ad app update --id xxx --add replyUrls "https://example.com/testing/"

We realized that the right permissions are:

  • Azure Active Directory Graph:
    • Application.ReadWrite.OwnedBy

    • Directory.Read.All

But Azure Active Directory Graph will be deprecated, and we tried to change by same permissions on Microsoft Graph. In this case, we tried to update the applications with the previous command, and we recieved the message: Insufficient privileges to complete the operation

Could be this a bug on Api Permissions?

108191-apipermissions.png


azure-rbac
apipermissions.png (23.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered amanpreetsingh-msft commented

Hi @LuisSanchez-1146 · Thank you for reaching out.

The cmd az ad app update --id xxx --add replyUrls "https://example.com/testing/" still uses graph.windows.net (Azure AD Graph) and not graph.microsoft.com (Microsoft Graph). Which is why if you want to use this command, you need to keep Azure AD Graph permissions in place.

There is no bug in Microsoft Graph API as I tested this out in my lab and it works with these permissions. Below are the steps I performed:

  1. Acquired an application token with below permissions:
    108653-image.png

  2. Made below patch call to update the redirect URI:
    108538-image.png

  3. Checked the application in the portal and confirmed that the redirect uri is updated:
    108569-image.png


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (4.1 KiB)
image.png (30.6 KiB)
image.png (6.2 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @amanpreetsingh-msft,

Thanks so much for your help.

In that case, I suppose that we shouldn't use the az-cli tool, because is using a deprecated endpoint for some commands. So, do you recommend use directly Microsoft Graph REST API? We are looking for the best way to use in our CI system to perform some actions on our Azure AD subscription.

On the other hand, Are there plans to update az-cli to use right end-points?

0 Votes 0 ·

Hi @LuisSanchez-1146 · Yes, you can directly use directly Microsoft Graph API. Please refer to Update application document that includes request examples with various SDKs for C#, JavaScript, Objective-C, and Java as well.

Are there plans to update az-cli to use right end-points?
Eventually everything including az-cli and Az PowerShell will be updated to use Microsoft Graph but there is no ETA as of now.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 Votes 0 ·

Understood. Thanks so much for the info @amanpreetsingh-msft

0 Votes 0 ·
Show more comments