Open jaslloyd opened 4 years ago
add to S176
@jaslloyd hi.
I had the same problem. And have a solution for that.
My scenario:
resource "azuread_application" "active_directory_application" ...
resource "null_resource" "xxx" { provisioner "local-exec" ... }
My permissions before fix: Azure Active Directory Graph -> Application.ReadWrite.OwnedBy Azure Active Directory Graph -> Directory.Read.All
My permissions after fix: Azure Active Directory Graph -> Application.ReadWrite.OwnedBy Azure Active Directory Graph -> Directory.Read.All Microsoft Graph -> Application.ReadWrite.OwnedBy Microsoft Graph -> Directory.Read.All
https://graph.microsoft.com/ is Microsoft Graph API, so you will need Microsoft Graph for the Update application API invocation:
However, as the name suggests, Application.ReadWrite.OwnedBy is only used to update applications which are owned by the managing application. To update itself, the managing application should have Application.ReadWrite.All perimssion.
Hello,
I was wondering if somebody could help, I have a service principal/app registration e.g: 12345, I am logging into the cli via:
az login --service-principal --username 12345 --password ${PASS} --tenant ${TENANT_ID}
I am able to to get the current reply URLs via this command:
az ad app show --id 12345 --query replyUrls
However when I try to update the replyUrls using the az rest command via this command:
az rest --method PATCH --uri "https://graph.microsoft.com/v1.0/applications/$OBJECT_ID" --headers 'Content-Type=application/json' --body "{\"spa\":{\"redirectUris\": "$NEW_REDIRECT_URIS"}}" --debug
I get the following:
My app registration has API permissions for Microsoft Graph -> Application.ReadWrite.OwnedBy, which I thought would be the only permission required...but it seems like it's not. What else do I need to add to allow a service principal to update an app service (itself)?
Thanks and sorry if this question is off-topic, It has been super difficult to find an answer to this.