Using Microsoft.Graph to get current application permissions

Question

My C# program uses the Microsoft.Graph Nuget. And it needs be able to ensure that it has the correct Microsoft Graph application permissions.

I know how to add permissions in AD, but I want my program to be able test it has the permissions it needs.

Example of what I want to achieve :

var graphClient = new GraphServiceClient(authenticationProvider);

if(!graphClient.GetPermissions().Contains("AdministrativeUnit.Read.All"))
{
    throw new Exception("Missing Permission AdministrativeUnit.Read.All")
}

Thanks in advance !

Answer 1

It's a long way.

Here I provide a general idea of Microsoft Graph beta version(through HTTP method):

1. Get the Object ID of the servicePrincipal based on the App ID: GET https://graph.microsoft.com/beta/servicePrincipals?$filter=appId eq '{App ID}'.
2. Get the appRole information (the application permission information) based on the Object ID from step 1: GET https://graph.microsoft.com/beta/servicePrincipals/{Object ID}/appRoleAssignedTo.
3. Get a match list of appRoleID and Microsoft Graph application permission name: GET https://graph.microsoft.com/beta/servicePrincipals?$filter=appId eq '00000003-0000-0000-c000-000000000000'. Please note that "00000003-0000-0000-c000-000000000000" is a fixed value， which represents the App ID of the Microsoft internal Graph App.
4. Compare the results of the 2nd and 3rd steps and you will know which application permissions are in your Azure AD app.

By the way, Get appRoleAssignment is only available in beta version currently, but beta version api is not recommended to use.

APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported.