news and infos about microsoft, technology, cloud and more

Use Azure AD app principal without user context

For an application registered in AAD to be able to run in application context only without a user context the Company Administrator” role has to be assigned to the application in order to be able to access administrator endpoints for APIs like the Microsoft Graph. No additional permissions have to be assigned to the application after assigning this role.

The assignment has to be done using PowerShell and looks like this: (the app registration has to be done beforehand)

Install-Module AzureAD
$app = Get-AzureADServicePrincipal -SearchString "your app name"
$role = Get-AzureADDirectoryRole | Where-Object { $_.DisplayName -eq "Company Administrator" }
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $app.ObjectId

Note that you have to replace the string your app name” with the name provided to your app registration. The script intalls (if not already installed) the AzureAD PowerShell module and uses the contained commandlets to get the service principal of the app registration by name, gets the Azure AD Directory Role Company Administrator” and adds this role to the service principal of the app. After the role has been added, the app might, e.g., make queries to the user endpoint of the Microsoft Graph API to get properties from any users in the AAD.