In Azure Active Directory App Registration Api Permissions, how do we enable the adding user_impersonation?
We have multiple microservices, some of which need to talk to each other without human interaction, and some of which require App Roles in order to grant access.
Instead of using the Resource Owner Password Credentials grant flow which is "not recommended", we'd like for to include App Roles from the registered app within the appropriate JWT tokens.
To do this, we need to include the delegated permission "user_impersonation" as a permission for the API we need to access.
I've figured out how to do this sometimes, but it does not always seem to be available as an API permission for any particular application.
What do I need to do to make this available on an application where it is not already available so I can grant the permission and thereby get the app roles included in the JWT tokens?
Azure Active Directory blade has two App registration options> legacy and preview. In legacy app registrartion when we click on the option ‘Expose an API’ you can see there is a user_impersonation scope created automatically.
But for preview we need to create manually with scope > user_impersonation.
user_impersonation scope name could be anything you because it is a custom scope, as long as your code check for that same scope name that you created.
So after creating that custom scope , you can try to get Get access on behalf of a user - Microsoft Graph | Microsoft Docs if required.
Also please note that when you are using client credential flow and using application permission , you get roles in place of scope i.e; scp claim in the token.
Check this > SO reference.
Also check this github discussion for same point. Also you can reach out to AzureSuport Team for further troubleshooting.
- Azure Permission - needed for creating resource group - RBAC
- Is it possible to have a non-interactive code that logs in to Azure and creates users in Microsoft Entra ID?
- Microsoft as OAuth2 provider for personal accounts does not issue JWT access tokens
- Updating App Registration's Configured permission without overwritten existing values
- Azure trusted signing Identity validation process stuck due to inability to upload required documents
- How to debug Bearer error="invalid_token"
- Azure global admin cannot(disabled) add roles under "Access Control(IAM)"
- Access and Modify SharePoint Online list using PnP.Powershell and AccessTokens / Registered App
- How to find the delay when I reset a password using Microsoft's Graph API?
- Outlook calendar don't render with FullCalendar
- Azure Remove User Consent to API
- .NET Core Multi Tenancy authentication
- Production slot not using Production as ASPNETCORE_ENVIRONMENT variable
- Microsoft Identity Web: Change Redirect Uri
- Authenticating to Azure application with JMeter
- How do I solve audience (aud) invalid claim error for downstream api service?
- invalid_request: The provided value for the input parameter 'redirect_uri' is not valid
- I am getting an error that OAuth2 Code has already been redeemed
- Generating token for Fabric Rest api using client secret
- AADSTS700016: Application with identifier 'XXX' was not found in the directory 'directory_name'
- Authenticate to SQL Server with Azure app service managed identity through group
- Why is my Azure AD token request returning HTTP 400 consent error for API permissions that have been granted?
- Azure AD:Authenticate Devices
- How to set Azure MSAL SSO for my Nextjs14 app using Approuter and next-auth
- Unable to Connect to Azure PostgreSQL Database via Point-to-Site VPN with Azure Active Directory on macOS
- How do I retrieve the service principal password after creation using the azure cli?
- Cannot create Azure B2C Tenant
- Accessing Graph API from multi tenant App Function via identity
- Rename a user in Azure Devops
- My Azure AD B2C User Flow is not returning a token on jwt.ms