I understand the process of assigning Microsoft Graph permissions to a service principal. I can take the object id of the Microsoft Graph app, then use the https://graph.microsoft.com/v1.0/servicePrincipals/<id>/appRoleAssignedTo MSGraph endpoint, like described here.
My question is: can I do the same with a regular user? That is, when calling appRoleAssignedTo, specify the object id of a user in the principalId field. Can a regular user have application permissions (like MSGraph permissions), and how do I use them afterwards?
I tried to do the above and assign the RoleManagement.ReadWrite.Directory to a user. Then I logged in with az login and ran az account get-access-token --resource-type ms-graph.
With this token I tried to do an operation that requires the RoleManagement.ReadWrite.Directory permission, like assigning a role to another user, but it fails with Insufficient privileges to complete the operation..
2
Answers
Users can request the scope they need when using
Connect-MgGraph, for example:Which is the recommended approach, as it means that for that session they will only have access to the scopes that are necessary rather than any they’ve previously requested
I tried to reproduce the same in my environment and got the same error as below:
When I tried to
Connect-MgGraphas a normal user, I got the error like below:I created an Azure AD Application and granted API permission as below:
I generated access token by using below parameters:
By using the above access token, I am able to assign directory role to the user successfully as below:
Reference:
Add graph api permission to user account by Harpreet Singh Matharoo