How can I create an Azure AD application using the fluent API?

Question

I am using the following code to try to programmatically register an application in Azure Active Directory:

        var application = azure.ActiveDirectoryApplications.Define(applicationName)
            .WithSignOnUrl(url)
            .WithIdentifierUrl(url)
            .WithAvailableToOtherTenants(false)
            .DefinePasswordCredential(id)
              .WithPasswordValue(secret)
              .Attach()
            .Create();

Where azure is an instance of Microsoft.Azure.Management.Fluent.Azure.

When I run the above to create an Azure Active Directory Application, an Microsoft.Azure.Management.Fluent.Azure exception is thrown with the message Operation returned an invalid status code 'Forbidden'. Creation of other Azure resources (like resource groups and app services) work just fine.

Looking at the exception details, I can see that a request is made to the following endpoint:

https://graph.windows.net/{myTenantId}/applications?api-version=1.6

The following is in the response body:

{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}

Since the bodies says "Insufficient privileges to complete the operation", it appears to be a simple permission issue, but I have granted the following permissions (while signed in as a global administrator) for the Microsoft.Azure.ActiveDirectory API for the application that's running the code:

• Access the directory as the signed-in user
• Read and write directory data

Are these privileges not enough? What am I missing? As I said, creation of other resources using the fluent API works just fine.

Answer 1

The scope Directory.AccessAsUser.All and Directory.ReadWrite.All User.Read is sufficient permission to create applications in the Azure Active Directory. Since you doesn't provide how you construct the azure instance, I would provide a working code sample:

static void Main(string[] args)
{
    var url = "http://adfei.onmicrosoft.com/appFluent";
    var id = "abc";
    var secret = "secret";
    var applicationName = "appFluent";
    var credFile = new AzureCredentials(new UserLoginInformation
    {
        ClientId = "{appId of native application}",
        UserName = "{userName}",
        Password = "{password}"
    },
        "adfei.onmicrosoft.com", AzureEnvironment.AzureGlobalCloud);
    IAzure azure = Azure.Authenticate(credFile).WithDefaultSubscription();
    var application = azure.ActiveDirectoryApplications.Define(applicationName)
    .WithSignOnUrl(url)
    .WithIdentifierUrl(url)
    .WithAvailableToOtherTenants(false)
    .DefinePasswordCredential(id)
      .WithPasswordValue(secret)
      .Attach()
    .Create();

    Console.Read();
}

And please ensure the scope is include in the access token to ensure that you have the permission for this operation. You can capture the request via Fiddler to check the token and decode the token from this site to check scp claims in the access token.