Search code examples
azureazure-active-directoryaccess-token

Azure AD remove permissions for registered app

I am using Azure AD to secure my service to service calls. (Each service having an application identity in Azure AD).

Example: Application A wants to access Application B.

I noticed that when requesting an accesstoken from Application A using Client Credential Flow (with Certificate), an accesstoken is issued without having me to explicitly set the permissions to access Application B.

This seems odd to me because the token returned has its audience set to Application B even thought I haven't explicitly given it access.

If I understand correctly, all registered app have access to each other by default?

Is there a way in Azure AD to explicitly require permissions to be set in order for application to access each other?

Below is a screenshot of Application A required permissions. As you can see, Application B is not listed here.

enter image description here

In the following screenshot, I assigned TodoListService (aka Application B) to the required permissions of Application A

enter image description here

Solution

  • I noticed that when requesting an accesstoken from Application A using Client Credential Flow (with Certificate), an accesstoken is issued without having me to explicitly set the permissions to access Application B.

    Yeah, that one can be a bit surprising and I'm not sure why that is the case either.

    What you need to do is define application permissions on the API, and then assign it on the client. Then you need to check the caller has the required app permission in the token.

    I have an article on this topic: Defining permission scopes and roles offered by an app in Azure AD.

    To define an app permission on the API, you'll have to edit its manifest in Azure AD, and add an app role with member type of Application, something like:

    {
  "appRoles": [
  {
    "allowedMemberTypes": [
      "Application"
    ],
    "displayName": "Read all todo items",
    "id": "f8d39977-e31e-460b-b92c-9bef51d14f98",
    "isEnabled": true,
    "description": "Allow the application to read all todo items as itself.",
    "value": "Todo.Read.All"
  }
  ]
}

    IIRC you have to generate a GUID for the id. After defining this permission on the API, go to your client app, and add the app permission in the Required permissions. Then you should press Grant permissions to grant the app permission.

    Now then when the client acquires a token with client credentials, the token will contain:

    {
  "roles": [
    "Todo.Read.All"
  ]
}

    So you'll have to check that that is present.