Azure - Adding API permissions using Bicep as configured permissions, not other permissions granted

MikeDzikowski
October 15, 2024
107 views
0 votes
2 Answers

First time posting here, so please let me know if I need to make any changes to my question or add more details. I am unable to add API permissions as configured.

I am following the post/answer here: https://stackoverflow.com/a/78951253/12567070

But when running the bicep, I get permissions added to my app registration. However, they are only added as "other permissions granted" – I believe this is because "Admin consent required" for the permissions I am trying to add. Is it possible to do the admin consent with bicep?

Example code used:

targetScope = 'tenant'

// entra-external-setup.bicep
extension microsoftGraph

param appName string = 'cspm'
param deployEnvironment string = 'lb'

var applicationRegistrationName = '${appName}-${deployEnvironment}-app-01'

var redirectUris = deployEnvironment == 'prod' 
  ? ['https://app.${appName}.io'] 
  : ['https://${applicationRegistrationName}.azurewebsites.net', 'https://localhost:44305']

resource microsoftGraphServicePrincipal 'Microsoft.Graph/[email protected]' existing = {
  appId: '00000003-0000-0000-c000-000000000000'
}

resource applicationRegistration 'Microsoft.Graph/[email protected]' = {
  uniqueName: applicationRegistrationName
  displayName: applicationRegistrationName
  web: {
    redirectUris: [for item in redirectUris: '${item}/sigin-oidc']
    implicitGrantSettings: {
      enableIdTokenIssuance: true
    }
  }
  requiredResourceAccess: [
    {
     resourceAppId: microsoftGraphServicePrincipal.appId
     resourceAccess: [
       { 
         id: '246dd0d5-5bd0-4def-940b-0421030a5b68', type: 'Scope' 
      }
     ]
    }
  ]
}

resource applicationRegistrationServicePrincipal 'Microsoft.Graph/[email protected]' = {
  appId: applicationRegistration.appId
}

resource grants 'Microsoft.Graph/[email protected]' = {
  clientId: applicationRegistrationServicePrincipal.id
  resourceId: microsoftGraphServicePrincipal.id
  consentType: 'AllPrincipals'
  scope: 'Policy.Read.All'
}

My goal is to use Bicep to add the API permissions, granted here:

What am I missing?

Answers

In you bicep file, you are using 246dd0d5-5bd0-4def-940b-0421030a5b68 which is the id of the App role. you need to use the id of the oauth scope which is 572fea84-0151-49b2-9301-11cb16974376.

To make sure to have it right, you can retrieve the values from the MS Graph SP:

// Get a reference to the MS Graph Sp in the tenant
resource msGraphAppSp 'Microsoft.Graph/[email protected]' existing = {
  appId: '00000003-0000-0000-c000-000000000000'
}

// space seperated list of scopes to apply
var msGraphAppOauth2PermissionScopes = 'Policy.Read.All APIConnectors.Read.All'

// create the app registration
resource applicationRegistration 'Microsoft.Graph/[email protected]' = {
  uniqueName: applicationRegistrationName
  displayName: applicationRegistrationName
  web: {
    redirectUris: [for item in redirectUris: '${item}/sigin-oidc']
    implicitGrantSettings: {
      enableIdTokenIssuance: true
    }
  }
  requiredResourceAccess: [
    {
      resourceAppId: msGraphAppSp.appId
      // Add all required delegated permissions: we get the id from the SP object
      resourceAccess: [
        for scope in split(msGraphAppOauth2PermissionScopes, ' '): {
          id: first(filter(msGraphAppSp.oauth2PermissionScopes, (val, i) => val.value == scope)).id
          type: 'Scope'
        }
      ]
    }
  ]
}

// Create the service principal
resource applicationRegistrationServicePrincipal 'Microsoft.Graph/[email protected]' = {
  appId: applicationRegistration.appId
}

// Grant required access to MS graph
resource msGraphGrants 'Microsoft.Graph/[email protected]' = {
  clientId: applicationRegistrationServicePrincipal.id
  resourceId: msGraphAppSp.id
  consentType: 'AllPrincipals'
  scope: msGraphAppOauth2PermissionScopes
}

Simply follow my code. After deployment complete, admin consent auto shows.

appRoleAssignedTo used in application permission.
oauth2PermissionGrants used in delegate permission.

appRoleId also be found as permission id, it be usually used in combination with resourceId, You can find permission id which provided by Microsoft Graph Resource here.

targetScope = 'tenant'
// Use both extension version declarations, to declare Microsoft Graph resources from beta and v1.0, in the same Bicep file 
extension microsoftGraphV1_0

@description('Apps to use')
param appName string = 'wb-bicep-client-20241009'

@description('microsoft garaph resouce app id')
param microsoftGraphAppId string = '00000003-0000-0000-c000-000000000000'

//https://graph.microsoft.com/User.Read.All
param micrsooftUserReadAllRoleId string = 'df021288-bdef-4463-88db-98f22de89214'

resource resourceSp 'Microsoft.Graph/[email protected]' existing = {
  appId: microsoftGraphAppId
}

// using 1.0
resource clientApp 'Microsoft.Graph/[email protected]' = {
    uniqueName: appName
    displayName: appName
}

resource clientSp 'Microsoft.Graph/[email protected]' = {
  appId: clientApp.appId
}

//a delegated permission grant
resource permissionGrant 'Microsoft.Graph/[email protected]'  = {
  clientId: clientSp.id
  consentType: 'AllPrincipals'
  resourceId: resourceSp.id  // objectId
  scope: 'User.Read'
}

resource appRoleAssignedTo 'Microsoft.Graph/[email protected]' = {
  appRoleId: micrsooftUserReadAllRoleId
  principalId: clientSp.id
  resourceId: resourceSp.id
}

Please signup or login to give your own answer.

Click here to cancel reply.

Azure – Adding API permissions using Bicep as configured permissions, not other permissions granted

Answers