Adding permissions to an application in Azure app registration
I'm currently learning about Azure app registrations, and there is something I don't quite understand. The docs in Quickstart: Configure a client application to access a web API say that the "Configured permissions" in the API Permissions of an app registration is basically a list of all the permissions that your application requires for basic operation. The exact quote:
The Configured permissions table on the API permissions pane shows the list of permissions that your application requires for basic operation - the required resource access (RRA) list. Users, or their admins, will need to consent to these permissions before using your app. Other, optional permissions can be requested later at runtime (using dynamic consent).
additionally, it states that:
Whenever you configure permissions, users of your app are asked at sign-in for their consent to allow your app to access the resource API on their behalf.
Now, I have tried following the Python quickstart demo, which signs-in a user and accesses the MicrosoftGraph API: https://github.com/Azure-Samples/ms-identity-python-webapp
In this walkthrough, I have registered my app (MyClientApp) in Azure app registration, and for testing, I've added some scopes from Microsoft Graph in the API Permissions pane, such as
Now, when I run the application and attempt to sign in, the user consent prompt is prompted to me, but it doesn't request for permissions for any of the above scopes. It gives me:
Can someone clear out the fog?
Without looking at the sample, I think it is not requesting an access token in that request. The client is only requesting an ID token (with something like scope=openid+profile).
You need to specify e.g. https://graph.microsoft.com/.default as a scope when authenticating the user to get an access token.
In this case we use the special ".default" scope that tells AAD "just use the ones in the app registration".
Alternatively you could ask for e.g. https://graph.microsoft.com/AccessReview.Read.All scope to require that permission.
One thing to note here though. If your client app used the v1 authorization endpoint, those configured permissions would be required. But I assume the app is using MSAL and the v2 endpoint, which allows these dynamic permission requests.
- How can I define compile time constants in bicep configuration language?
- Outlook calendar don't render with FullCalendar
- Azure functions decoding error for IotHub device connection state message schema
- How do I set scope in Azure API Manager (APIM) when using D_application_id
- How to mount multiple disks in a loop using ansible
- How can I get sub value in nested json via KQL?
- Azure .NET SDK: Scale Azure SQL databases through SDK
- How can I invoke Azure Trusted Signing from a Linux OS?
- How to transfer "Set Variable" activity output into Json file using "Copy Data" activity or any other options?
- Verify Microsoft Access token on my ASP.NET Core Web API
- I'm trying to install the package from a private Azure DevOps repository using the pip install command, but I'm encountering an error
- Unable to define the sites for an App Registration for SahrePoint with Site.Selected
- Check if the resource exists before using data
- Not able to see azure 'LifecyclePolicyCompleted event' log
- Direct Web Push gives Error when used from Notification Hub
- Azure Remove User Consent to API
- Flutter-Azure Deviops pipelineThe discrepancy between the number of tests reported as passed or failed in the pipeline output and the test report
- App_location on deployment of a static webapp
- MSINotEnabled - Can't use KeyVault Reference in Azure Function
- Reading values from a key value based file and passing these values to azure devops template
- Deleting an Azure Loadbalancer Frontend IP configuration from python?
- How to retrieve the front door id from a Microsoft CDN (classic)
- What is HEAD operation in CosmosDB reported in Azure Monitoring
- Deploying a Python App to Azure App Service with Github Actions
- How to Query User Access Logs for Azure Front Door
- How can I add email recipients to a Graph API request programmatically?
- How to create Azure Devops Service Connection Docker Registry Type Other
- Problem with CORS policy in React front end with FastAPI on the back trying to use Microsoft Single Sign-on
- Azure Document Intelligence Custom Classification Python API
- Azure Function App unaccounted for time in Application Insights Timeline