31

I'm trying to give a console app permission to call an API in Azure AD.

When I go to "Add permissions," "application permissions" is grayed out and I can only select "delegated permissions."

My understanding is that application permissions is right for the console app because it runs on the back-end and users don't sign into it.

From the help text for "application permissions":

Your application runs as a background service or daemon without a signed-in user.

The help text for "delegated permissions":

Your application needs to access the API as the signed-in user.

Why is "application permissions" disabled?

Azure's "Request API permissions" dialog with a disabled "application permission" button

Eric Eskildsen
  • 4,269
  • 2
  • 38
  • 55

2 Answers2

36

Per my understanding, you are exposing your custom api protected by Azure AD. If so, you need to define the application permission by editing the manifest of your api app.

enter image description here

manifest:

"appRoles": [
        {
            "allowedMemberTypes": [
                "Application"
            ],
            "description": "Apps that have this role have the ability to invoke my API",
            "displayName": "Can invoke my API",
            "id": "fc803414-3c61-4ebc-a5e5-cd1675c14bbb",
            "isEnabled": true,
            "lang": null,
            "origin": "Application",
            "value": "myTestRole"
        }
    ]

Then the application permission will show up.

enter image description here

Tony Ju
  • 14,891
  • 3
  • 17
  • 31
  • That was it! I manually generated the GUID for the id property of the new role (PowerShell > `New-Guid` > Enter). I don't know if there's a way to do it in Portal (or if it even has to be a GUID), but it accepted it. – Eric Eskildsen Aug 07 '19 at 13:22
  • Beware, counter-intuitively "The displayName cannot contain spaces." according to the linked doc. – Fabian Nicollier Jan 09 '20 at 11:58
  • 4
    This seems like something Microsoft should build a GUI/UI blade for, no? – user1060500 Jan 25 '20 at 02:44
  • What is the ID that goes in the appRoles entry? The id of the API you're trying to grant access to? Or the app you're editing? or something else ... ? – Journeyman1234 Mar 18 '20 at 16:48
  • Meaning it can be literally anything? – Journeyman1234 Mar 19 '20 at 07:24
  • 1
    @Journeyman1234 Yes, just note that the id must be a unique GUID. – Tony Ju Mar 19 '20 at 07:27
  • how is it possible that this doesn't even appear in this doc? https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow – Martín La Rosa Apr 24 '20 at 23:25
  • @A.com It also won't show for me. Did you solve it? – JBernardo Aug 12 '21 at 16:04
  • 1
    @JBernardo you actually don't give it permissions that way. It's really confusing. Instead you add your registered app to your subscription and apply a reader role, sort of through IAM. See here https://medium.com/@crlmas07/programmatic-access-to-azure-portal-d925ea90831e – A.com Aug 12 '21 at 16:33
  • @A.com Thanks a lot! I couldn't find that in any docs – JBernardo Aug 13 '21 at 12:55
  • just added it as an answer so others see it hopefully @JBernardo – A.com Aug 14 '21 at 13:02
  • Be aware, if you want to edit the appRole that you've added via the Portal manifest editor, you'll have to first set its isEnabled property to false and hit Save. After saving, you'll then be able to edit the other properties and the editor will allow to save the changes. You'll then have to set the isEnabled property back to true. If you don't follow this, you'll see a "Permission (scope or role) cannot be deleted or updated unless disabled first." error message. – Chris Keith May 31 '23 at 13:55
1

you actually don't give it permissions that way. It's really confusing. Instead you add your registered app to your subscription and apply a reader role, sort of through IAM. See here:

https://medium.com/@crlmas07/programmatic-access-to-azure-portal-d925ea90831e

A.com
  • 1,466
  • 4
  • 19
  • 31
  • I also found another way of creating the app without that much hassle. It is called a Service principal and automatically adds a role in the command line: https://learn.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli Thank you for pointing me out to the right direction. I've awarded you a bounty – JBernardo Aug 17 '21 at 14:01
  • I am not clear here once you assign the reader role it is a reader role for the MSI on that subscription very different from granting access to a particular role for an APP. The medium article is trying to build an app that has access to all Azure resources in a subscription. – amritanshu Apr 16 '23 at 16:16