--- title: Application permissions (MS Graph API) description: Application permissions are also known as app roles or app role assignments. You can grant application permissions directly by adding an app role assignment to an object, such as user, group, or servicePrincipal. For more information about app role assignments, refer to the Microsoft Graph documentation. component: openicf page_id: openicf:connector-reference:msgraph-app-perms canonical_url: https://docs.pingidentity.com/openicf/connector-reference/msgraph-app-perms.html section_ids: msgraph-add-appRoleAssignment-servicePrincipal: Add an app role assignment to a servicePrincipal msgraph-remove-appRoleAssignment-servicePrincipal: Remove an app role assignment from a servicePrincipal msgraph-add-appRoleAssignment-principal: Add an app role to a principal (user/group/servicePrincipal) via a servicePrincipal msgraph-remove-appRoleAssignment-principal: Remove an app role from a principal (user/group/servicePrincipal) via a servicePrincipal --- # Application permissions (MS Graph API) Application permissions are also known as *app roles* or *app role assignments*. You can grant application permissions directly by adding an app role assignment to an object, such as user, group, or `servicePrincipal`. For more information about app role assignments, refer to the [Microsoft Graph documentation](https://learn.microsoft.com/en-us/graph/api/resources/approleassignment?view=graph-rest-1.0). | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | The following table displays what the different id's involved in app role assignment represent:principalId The id of a user, group, or client servicePrincipal. Depends on the type of object receiving the app role assignment. resourceId The object id of the servicePrincipal containing the appRole. appRoleId The id of the appRole. | Special schema definitions for app role assignments The following schema definitions are special attributes in the connector, not real, readable properties of a `servicePrincipal` or other directory objects. They allow the connector to add and remove the respective app role assignments that appear in their related relationship fields. For example, `__addAppRoleAssignments__` stores a list of object data to populate the *actual* attribute `appRoleAssignments`. \_\_addAppRoleAssignments\_\_ ```json { "type": "array", "items": { "type": "object", "nativeType": "object" }, "nativeName": "__addAppRoleAssignments__", "nativeType": "object" } ``` \_\_removeAppRoleAssignments\_\_ ```json { "type": "array", "items": { "type": "string", "nativeType": "string" }, "nativeName": "__removeAppRoleAssignments__", "nativeType": "string" } ``` \_\_addAppRoleAssignedTo\_\_ ```json { "type": "array", "items": { "type": "object", "nativeType": "object" }, "nativeName": "__addAppRoleAssignedTo__", "nativeType": "object" } ``` \_\_removeAppRoleAssignedTo\_\_ ```json { "type": "array", "items": { "type": "string", "nativeType": "string" }, "nativeName": "__removeAppRoleAssignedTo__", "nativeType": "string" } ``` ## Add an app role assignment to a `servicePrincipal` | | | | - | ----------------------------------------------- | | | This process is identical for users and groups. | Request ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --header "Content-Type: application/json" \ --header "If-Match: *" \ --request PUT \ --data '{ "__addAppRoleAssignments__": { "principalId": "05b49121-0bf5-479e-8a4e-140212648879", "resourceId": "b3e4e58e-16fa-4b3d-a7b5-f134b7387e62", "appRoleId": "df021288-bdef-4463-88db-98f22de89214" } }' \ "http://localhost:8080/openidm/system/azuread/servicePrincipal/05b49121-0bf5-479e-8a4e-140212648879" ``` Response ```json { "_id": "05b49121-0bf5-479e-8a4e-140212648879", "addIns": [], "replyUrls": [], "keyCredentials": [], "oauth2PermissionScopes": [], "displayName": "Test-Application", "appRoleAssignments": [ { "resourceDisplayName": "Microsoft Graph", "resourceId": "b3e4e58e-16fa-4b3d-a7b5-f134b7387e62", "principalDisplayName": "Test-Application", "appRoleId": "df021288-bdef-4463-88db-98f22de89214", "createdDateTime": "2023-05-05T20:41:15.373168300Z", "principalId": "05b49121-0bf5-479e-8a4e-140212648879", "id": "IZG0BfULnkeKThQCEmSIeS7n5ay2n99BiFNwyj97w8Y", "principalType": "ServicePrincipal" } ], "alternativeNames": [], "resourceSpecificApplicationPermissions": [], "appDisplayName": "Test-Application", "accountEnabled": true, "appOwnerOrganizationId": "9e91bf24-7a08-433e-b111-5542416b4f20", "passwordCredentials": [], "servicePrincipalNames": [ "93dd36a4-61ca-4a1d-89cf-eac96587de35" ], "appId": "93dd36a4-61ca-4a1d-89cf-eac96587de35", "signInAudience": "AzureADandPersonalMicrosoftAccount", "notificationEmailAddresses": [], "servicePrincipalType": "Application", "tags": [], "appRoleAssignedTo": [], "info": {}, "appRoles": [], "appRoleAssignmentRequired": false } ``` ## Remove an app role assignment from a `servicePrincipal` | | | | - | ----------------------------------------------- | | | This process is identical for users and groups. | Request ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --header "Content-Type: application/json" \ --header "If-Match: *" \ --request PUT \ --data '{ "__removeAppRoleAssignments__": "IZG0BfULnkeKThQCEmSIeS7n5ay2n99BiFNwyj97w8Y" }' \ "http://localhost:8080/openidm/system/azuread/servicePrincipal/05b49121-0bf5-479e-8a4e-140212648879" ``` Response ```json { "_id": "05b49121-0bf5-479e-8a4e-140212648879", "addIns": [], "replyUrls": [], "keyCredentials": [], "oauth2PermissionScopes": [], "displayName": "Test-Application", "appRoleAssignments": [], "alternativeNames": [], "resourceSpecificApplicationPermissions": [], "appDisplayName": "Test-Application", "accountEnabled": true, "appOwnerOrganizationId": "9e91bf24-7a08-433e-b111-5542416b4f20", "passwordCredentials": [], "servicePrincipalNames": [ "93dd36a4-61ca-4a1d-89cf-eac96587de35" ], "appId": "93dd36a4-61ca-4a1d-89cf-eac96587de35", "signInAudience": "AzureADandPersonalMicrosoftAccount", "notificationEmailAddresses": [], "servicePrincipalType": "Application", "tags": [], "appRoleAssignedTo": [], "info": {}, "appRoles": [], "appRoleAssignmentRequired": false } ``` ## Add an app role to a principal (user/group/servicePrincipal) via a `servicePrincipal` Request ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --header "Content-Type: application/json" \ --header "If-Match: *" \ --request PUT \ --data '{ "__addAppRoleAssignedTo__": { "principalId": "87f5b3f8-6a8c-4e50-8fd6-0467d5e97e0c", "resourceId": "bf960539-a1d8-4eab-a46e-e9ce0b3f15c8", "appRoleId": "00000000-0000-0000-0000-000000000000" } }' \ "http://localhost:8080/openidm/system/azuread/servicePrincipal/bf960539-a1d8-4eab-a46e-e9ce0b3f15c8" ``` Response ```json { "_id": "bf960539-a1d8-4eab-a46e-e9ce0b3f15c8", "addIns": [], "replyUrls": [], "keyCredentials": [], "oauth2PermissionScopes": [], "displayName": "Test-Application", "appRoleAssignments": [], "alternativeNames": [], "resourceSpecificApplicationPermissions": [], "appDisplayName": "Test-Application", "accountEnabled": true, "appOwnerOrganizationId": "9e91bf24-7a08-433e-b111-5542416b4f20", "passwordCredentials": [], "servicePrincipalNames": [ "62212657-8f49-40b3-874b-9d1c25cb4388" ], "appId": "62212657-8f49-40b3-874b-9d1c25cb4388", "signInAudience": "AzureADandPersonalMicrosoftAccount", "notificationEmailAddresses": [], "servicePrincipalType": "Application", "tags": [], "appRoleAssignedTo": [ { "resourceDisplayName": "Test-Application", "resourceId": "bf960539-a1d8-4eab-a46e-e9ce0b3f15c8", "principalDisplayName": "qcmozfwwygkebie", "appRoleId": "00000000-0000-0000-0000-000000000000", "createdDateTime": "2023-05-05T20:41:25.405071800Z", "principalId": "87f5b3f8-6a8c-4e50-8fd6-0467d5e97e0c", "id": "-LP1h4xqUE6P1gRn1el-DCzqXtqJH6NBt0Fr0lT0g2g", "principalType": "User" } ], "info": {}, "appRoles": [], "appRoleAssignmentRequired": false } ``` ## Remove an app role from a principal (user/group/servicePrincipal) via a `servicePrincipal` Request ``` curl \ --header "X-OpenIDM-Username: openidm-admin" \ --header "X-OpenIDM-Password: openidm-admin" \ --header "Accept-API-Version: resource=1.0" \ --header "Content-Type: application/json" \ --header "If-Match: *" \ --request PUT \ --data '{ "__removeAppRoleAssignedTo__": "-LP1h4xqUE6P1gRn1el-DCzqXtqJH6NBt0Fr0lT0g2g" }' \ "http://localhost:8080/openidm/system/azuread/servicePrincipal/bf960539-a1d8-4eab-a46e-e9ce0b3f15c8" ``` Response ```json { "_id": "bf960539-a1d8-4eab-a46e-e9ce0b3f15c8", "addIns": [], "replyUrls": [], "keyCredentials": [], "oauth2PermissionScopes": [], "displayName": "Test-Application", "appRoleAssignments": [], "alternativeNames": [], "resourceSpecificApplicationPermissions": [], "appDisplayName": "Test-Application", "accountEnabled": true, "appOwnerOrganizationId": "9e91bf24-7a08-433e-b111-5542416b4f20", "passwordCredentials": [], "servicePrincipalNames": [ "62212657-8f49-40b3-874b-9d1c25cb4388" ], "appId": "62212657-8f49-40b3-874b-9d1c25cb4388", "signInAudience": "AzureADandPersonalMicrosoftAccount", "notificationEmailAddresses": [], "servicePrincipalType": "Application", "tags": [], "appRoleAssignedTo": [], "info": {}, "appRoles": [], "appRoleAssignmentRequired": false } ```