问题
i'm trying to create ad application using beta api by following this document: https://docs.microsoft.com/en-us/graph/api/application-post-applications?view=graph-rest-beta&tabs=http
the application can be successfully created in Azure AD B2C (not Azure Active Directory) as expected. the issue is when i'm trying to open this app from portal, the page just keeps loading while the app information never shows. i can see there's an error from browser dev tool:
The following request returns 404 error: https://main.b2cadmin.ext.azure.com/api/ApplicationV2/GetApplication?tenantId=mytestb2ctenant.onmicrosoft.com&applicationId=560df329-47f5-497b-a1d3-08e9e8208062
I can verify the applicationId is indeed the appid of my newly created ad app. not sure why getting the notfound error.
Then I manually created another app in my b2c ad. I compared the returned schema from get-application rest api for these two apps. the only difference is the manually created one has a default user_impersonation api scope, while other one does not. maybe this causes the error.
here's my complete powershell script to created ad app:
$b2cDomain = "mytestb2ctenant.onmicrosoft.com"
$applications = "https://graph.microsoft.com/beta/applications"
$headers = @{
"Authorization" = $accessToken;
}
@app = "mytestapp"
$request = @{
displayName = $app
identifierUris = @("https://$b2cDomain/api")
signInAudience = "AzureADandPersonalMicrosoftAccount"
web = @{
redirectUris = @("https://any.valid.url")
implicitGrantSettings = @{
enableIdTokenIssuance = $false
enableAccessTokenIssuance = $true
}
}
isFallbackPublicClient= $false
}
$body = $request | ConvertTo-Json
Log "creating ad app: $app"
$appResponse = Invoke-RestMethod `
-Uri $applications `
-Method Post `
-Headers $headers `
-ContentType "application/json" `
-Body $body
did I miss anything for the request schema? how can i create a valid app from rest api just like i manually create it?
回答1:
guess i found the root.
the application created from api did not have a service principle associated. need to create a sp for it. i could not find the rest api for creating sp from here. ended up using AzueAD powershell commands:
Connect-AzureAD -Credential $credential -TenantId $b2cTenantId
New-AzureADApplication -DisplayName "myapp"
$app = Get-AzureADApplication -SearchString "myapp"
New-AzureADServicePrincipal -AppId $app.AppId
everything seems working now.
btw, the Application in Azure AD B2C and in Azure Active Directory should be the same thing only showing different places. i got confused before.
回答2:
Please remember not to use Microsoft Graph beta apis in production since they are subject to change.
For an application to successfully work in AAD B2C(get a token), it has following requirements
- A service principal
- Consent to openid and offline_access scope on Microsoft Graph service principal in the tenant
The service principal apis are in Beta right now. The OAuth2Permissions api are in beta as well.
The algorithm is
- Create an app using application api
- Create a Service principal for it (lets call it clientSP).
- Find service principal corresponding to Microsoft Graph app (AppId # 00000003-0000-0000-c000-000000000000) in tenant using service principal apis. This service principal is always created by Azure AD in the directory so you just need to search for it. Lets call is ResourceSP
- Use OAUTH2Permissions api to create and grant consent to clientSP on ResourceSP for openid and offline_access scopes.
The sample here should help - https://github.com/valnav/Azure-AD-B2C-App-Graph.
来源:https://stackoverflow.com/questions/59062273/microsoft-graph-rest-api-beta-application-created-by-api-in-azure-ad-b2c-is-not