问题
Currently, I am registering app(s) in azure AD using application permissions. I am trying to find out if there is any better option to do that?
Current Approach:-
- Registered one app in azure AD using azure portal with "Application.ReadWrite.OwnedBy" application permission(with admin consent).
- Using that app registering other app(s) as follows
ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);
GraphServiceClient graphClient = new GraphServiceClient(authProvider);
var application = new Application
{
DisplayName = "App_One",
RequiredResourceAccess = new List<RequiredResourceAccess>()
{
new RequiredResourceAccess
{
ResourceAppId = "cfa8b339-82a2-471a-a3c9-0fc0be7a4093",
ResourceAccess = new List<ResourceAccess>()
{
new ResourceAccess
{
//API permission :- user_impersonation
Id = Guid.Parse("f53da476-18e3-4152-8e01-aec403e6edc0"),
Type = "Scope"
}
}
}
}
};
//Create(Register) application
var app = await graphClient.Applications
.Request().AddAsync(application);
Note:- I am using .net core 2.1 with OpenIdConnect.
Limitation of current approach :-
- Need to registered one app manually with "Application.ReadWrite.OwnedBy" application permission(with admin consent).
I have tried to find out other approach then I found following stack-overflow already question-answer
- Programmatically register app in azure active directory using graph api
- Azure Delegated and Application permission precedence
which are giving some hint about delegated permissions
Question(s) :-
- Is there any better way to achieve this without using manual registered app(with permission)?
- Currently,Users(in Azure AD) login in web app using OpenIdConnect. Can I use user token(after login) to register app(means after user authorize can I use this token create graph client)? if yes, how can I do this?
- Is it possible to register app using "logged-in" user principal(claims) with help of delegated permissions?(I don't have much knowledge about that to clear my understanding asking this question)?
回答1:
Is there any better way to achieve this without using manual registered app(with permission)?
Regardless of whether you use application permissions or delegated permissions to access graph api, you must first manually create an application (or you must have an application first), and then you can grant application permissions or delegate permissions to this application, and then You can use this application to register other applications.
Currently,Users(in Azure AD) login in web app using OpenIdConnect. Can I use user token(after login) to register app(means after user authorize can I use this token create graph client)? if yes, how can I do this?
Yes, you can use the access token to call MS graph api to create an application after logging in the user, Please see: auth code flow and sample.
Is it possible to register app using "logged-in" user principal(claims) with help of delegated permissions?(I don't have much knowledge about that to clear my understanding asking this question)?
You can use an application based on delegated permissions to call MS graph api to register an application. Here is a detailed example, but as I said before, it is not the user itself to complete this operation, it is the application that completes the operation on behalf of the user .
来源:https://stackoverflow.com/questions/63580767/approaches-to-registercreate-application-in-azure-ad-using-microsoft-graph-a