/// <summary>
/// To ensure the latest Service Principal with the most up-to-date permissions are created,
/// if exists, remove the existing Service Principal for YOUR AAD application
/// </summary>
/// <param name="client"></param>
/// <param name="grant"></param>
/// <returns></returns>
private static async Task CleanupPermissionGrantsAsync(IActiveDirectoryClient client,
OAuthGrant grant)
{
IServicePrincipal servicePrincipal = await GetServicePrincipalAsync(client, grant.Application.AppId);
if (servicePrincipal == null)
{
Program.WriteInfo($"No existing service principal for app {grant.Application.DisplayName}");
return;
}
Program.WriteInfo($"Deleting existing service principal for app {grant.Application.DisplayName}");
await servicePrincipal.DeleteAsync();
}
/// <summary>
/// At the time of creating this application, there was no support for adding app-only permissions using the .NET AAD Graph Client SDK
/// </summary>
/// <param name="client"></param>
/// <param name="grant"></param>
/// <returns></returns>
private static async Task AddApplicationPermissionsGrantAsync(IActiveDirectoryClient client, OAuthGrant grant)
{
var token = await AuthenticationHelper.AcquireAADTokenAsyncForUser();
var webClient = new HttpClient();
webClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
foreach (var graphPermissionId in grant.ApplicationPermissions)
{
var uri = $"{GlobalConstants.AADGraphResourceUrl}/{GlobalConstants.GraphTenantName}/servicePrincipals/{grant.ApplicationServicePrincipal.ObjectId}/appRoleAssignments?api-version=1.6";
string jsonBody = JsonConvert.SerializeObject(new
{
id = graphPermissionId,
principalId = grant.ApplicationServicePrincipal.ObjectId,
principalType = "ServicePrincipal",
resourceId = grant.ResourceServicePrincipal.ObjectId
});
var response = await webClient.PostAsync(uri, new StringContent(jsonBody, Encoding.UTF8, "application/json"));
if (!response.IsSuccessStatusCode)
{
Program.WriteError($"\nError adding App-only Permissions for {grant.Application.DisplayName}: {response.StatusCode}");
}
}
}
private static async Task AddDelegatedPermissionsGrantAsync(IActiveDirectoryClient client, OAuthGrant grant)
{
if (grant.DelegatedPermissions == "")
{
return;
}
try
{
// add the permissions
await client.Oauth2PermissionGrants.AddOAuth2PermissionGrantAsync(new OAuth2PermissionGrant
{
ClientId = grant.ApplicationServicePrincipal.ObjectId,
ConsentType = "AllPrincipals", // all users
ResourceId = grant.ResourceServicePrincipal.ObjectId,
Scope = grant.DelegatedPermissions,
ExpiryTime = new DateTime().AddYears(100) // when the grant expires
});
}
catch (Exception e)
{
Program.WriteError("\nError adding Delegated Permissions for {0}: {1}", grant.Application.DisplayName, Program.ExtractErrorMessage(e));
}
}