Add or Delete an app's API permissions (requiredResourceAccess) via Microsoft Graph

问题

In an application in my trial Azure AD tenant, I want to modify my API permissions via the Graph API. I am able to GET the application's requiredResourceAccess in the Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer#) via https://graph.microsoft.com/beta/applications/{app object ID}/requiredResourceAccess, but I am not able to modify or delete these values, or even GET specific resources. Here's my GET result:

{
    "@odata.context": "https://graph.microsoft.com/beta/$metadata#applications('{app object id}')/requiredResourceAccess(resourceAccess)",
    "value": [
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "{id}",
                    "type": "Scope"
                },
                {
                    "id": "{id}",
                    "type": "Scope"
                }
            ]
        }
    ]
}

When trying to specify the resourceAppId above, I get an error about how segment 'requiredResourceAccess' refers to a segment, so this must be the last part of the request URI besides filters.

And when I try to delete, I get the error 'Specified HTTP method is not allowed for the request target.'

I can modify the API permissions via the Microsoft Azure Portal of course, but can you please let me know if there is a way to add or remove API permissions via the Microsoft Graph API?

回答1:

You could use this API Update application, refer to my request sample as below.

Sample:

Request URL:

PATCH https://graph.microsoft.com/beta/applications/{App Object ID}

Request body:

{
   "requiredResourceAccess": [
        {
            "resourceAppId": "00000002-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
                    "type": "Scope"
                }
            ]
        },
        {
           "resourceAppId": "00000003-0000-0000-c000-000000000000",
           "resourceAccess": [
                {
                    "id": "863451e7-0667-486c-a5d6-d135439485f0",
                    "type": "Scope"
                }
       ]
    }
   ]
}

If you want to delete the API permissions, just specify the requiredResourceAccess as below.

{
   "requiredResourceAccess": []
}

Note: This API is a Beta version, I don't recommend you to use it in the production environment. Also, when we update the API permissions via this API, it just adds the permissions to this application, it will not consent the permissions for the application.

来源：https://stackoverflow.com/questions/57316875/add-or-delete-an-apps-api-permissions-requiredresourceaccess-via-microsoft-gr

标签

azure

azure-active-directory

microsoft-graph-api