0

I created a new Azure App Registration (App1) and exposed as an API. The MS Graph API permission which it has is:

Application.ReadWrite.OwnedBy - Application (Admin consent granted)
GroupMember.Read.All - Delegated (Admin consent granted)
User.Read - Delegated
User.Read.All - Delegated (Admin consent granted)

The version for the App Registration is 2 (I can see this: "accessTokenAcceptedVersion": 2 under the Manifest).

I have another App Registration (App2) and I haven't added the above App Registration's API permission to the second App Registration. The only API permission the second App has is:

User.Read - Delegated

I use curl command to get the token for the first App from second app like below:

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" \                             
-d 'client_id=client-id-of-app2' \
-d 'client_secret=client-secret-of-app2' \
-d 'grant_type=client_credentials' \
-d 'scope=api://client-id-of-app1/.default' \
'https://login.microsoftonline.com/my-tenant/oauth2/v2.0/token'

After I use the above command, I can successfully get the token. But my question is, how come the second app able to get a token from first app even without adding the API permission of first app in the second app?

I have another Azure App (App3) and has exposed as an API. When I use curl from App2 to App3 it gives below error:

'https://login.microsoftonline.com/123/oauth2/v2.0/token'
{"error":"invalid_grant","error_description":"AADSTS501051: Application 'Client ID of App2'(App2) is not assigned to a role for the application 'api://client-id-of-app3'(App3). "error_uri":"https://login.microsoftonline.com/error?code=123"}%

Why App3 gives above error and App1 generates a token when App2 uses curl command?

Improve this question

1 Answer 1

Reset to default
0

This is a feature of Entra ID that I've mentioned in a blog article. It is possible for an application in Entra ID to get an access token with the client credentials flow for any API in that same tenant. No permissions need to be assigned.

Of course the token you get will have no permissions. So as long as your API actually checks for valid permissions, this token won't work.

I can't say 100% why this is the way it is. But, I can make a strong guess. When an API has its own access control system, this way you don't also need to assign a permission in Entra ID. For example, you can always get an access token for Azure Key Vault without assigning any permissions. Key Vault has its own access control system(s), so this works fine.

Because of this feature, it is very important that you check for valid permissions in the token.

I have another Azure App (App3) and has exposed as an API. When I use curl from App2 to App3 it gives below error:

I suspect the switch "Assignment required?" is set to Yes on the Enterprise application/Service principal/Managed application in local directory. I think that is another way to handle this issue, though it will then require user assignments as well (if users sign in to this app). I'd recommend checking for valid permissions in tokens anyway.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.