Create a user delegated permission and an application permission with the same name in Azure Active Directory

For a training we are delivering I tried to create a little sample where I show how to create an API and protect it with our Microsoft Identity Platform. We have 2 kind of permissions we can support with our consent and permissions framework. User delegated permissions and application permissions. This is what we use for MS Graph as well.

User delegated permissions are used if you want to grant the app running the permissions in name of the user. For example I want the app to be able to read the users email. In our portal that’s very easy to setup in the application blade and select expose API.

The second type of permissions are called application permissions. These permissions are used for daemon apps for example. Applications which don’t have user interaction directly. At this moment you cannot create these through the UI so you have to modify the manifest.

What I didn’t know until this week is how to create an app permission with the same name as the user delegated permission. For example the Catalog.View.All permissions is something I want to expose so a daemon app could call that API as well. Application permissions are created by creating roles in the manifest. It’s almost the same as user roles but with the little change that the allowedMemberTypes is Application instead of User.

The one trick you have to do if you need the app permission to be the same as the user delegated permission is the id, displayname and description have to be exactly the same. So if you look in the manifest at the user delegated permission:

The adminConsentDisplay name needs to be the same as the displayName and the adminConsentDescription needs to be the same as description. The id needs to be the same and isEnabled needs to be the same to.

If you don’t do this and the value is the same you will get an error when trying to save the manifest.

If I now go to my daemon app and request API permission they will show up in both types of permissions. First is the Application permissions screen:

Second is the Delegated permissions screen:

We really should have a UI to be able to this so you don’t have to do this by hand and make the mistakes I made to get this to work. The team is working on this, I just don’t know what the exact timeline is.

Let me know if this was useful for you and if you are using this to protect your own APIs with our identity platform.

Little update about my job after 8 months

End of June our fiscal year ended. After a lot of travel this month I finally had some time to spend time with my family. My mom is visiting and was able to watch my daughter Lisa so my wife could join me in Washington, where I was for Identiverse and later travel to visit friends near New York. June was the heaviest travel month for me so far. I spend 2 nights at home. But this weekend I spend time away from home WITH family and enjoyed a nice time at the water in Bremerton. That also gave me some time to reflect and look back at my new job so far.

Travel

To summarizes my job which I started in October 2018, tons of travel! Before I joined this team, I had a year I didn’t travel at all and since I started this new role I have been around the world. I have seen many different places and met a ton of new people. I learned a ton of new technology and visited many conferences. Time really has flew by since I started.

The video above is build with the mobile app ‘app in the air’. It reads all my trip-it information (the app I use to organize my travel) and creates a nice little video. As you can see I have sit in a plane a lot.

Since I started the job I flew 128257 real miles, sat in the plane for 286 hours for 54 flights. If you look at the trip-it stats I have traveled 108 days for 12 trips, visited 16 countries and 33 cities. This resulted in being Delta Diamond for the first time in my life (125.000 qualifying miles needed, I have 141.504 so far this year alone). Got me to Platinum level at the Marriott, spent plenty of nights in other brand hotels as well.

To keep my daughter involved in all the time away from home we bought a world map and we set pins on the places I still need to go and where I am at the moment (golden pin). I also send postcards of all the places I travel (tip from Colene). So far Lisa received 15 post cards, Milan and Johannesburg cards never arrived). Some cards take 5 weeks to arrive, while others take a week.

IMG_20190707_200336

I started most of the work for Ignite the tour where we had to present on our Identity platform and I had to man the Azure Active Directory booth. One thing I learned; booth duty is a enormous good way for ramp up. I would recommend any new hire to man the booth for a couple of days. You might not know any answers when you start but that forces you to figure out the answers and it’s great for your internal network. It also forced me to understand more than just the developer platform.

Conferences

As my job describes; I presented at a lot of different conferences across the world. Part of the job is trying to get into the door of other non-Microsoft conferences. You need to build a bit of a name of yourself before you get selected and invited for conferences. Fortunately I still know some people who were generous enough to offer a speaking slot at their conferences. I also delivered a ton of different developer trainings around the world. I was fortunate enough to start this job with the help of my colleague Kyle Marsh. So it was an easier start because I was able to ask a ton of questions. Besides Kyle there are a ton of other folks I started to get to know who can help me with my endless list of questions. We are still figuring things out together. The interesting part of giving developer training is you really need to understand and know how things work. I still run into things which I think are not logical or hard to explain to developers. Most developers we train are not familiar with modern authentication and authorization. Terms like auth2 and OIDC are completely new to them. We try to explain the new way to integrate with Azure Active Directory in a way they don’t really need to understand how those protocols work.

A few conferences stood out to me:

Identiverse

This conference was held in June in Washington DC. Everybody who is anybody in the identity space is at this conference. It felt like a small family. Interesting content but more so, very interesting people. You realize these folks are the people who invented a lot of things which makes the internet as we know it more secure. It was also very clear Microsoft is one of the leaders in this space. My colleague Libby demoed our FIDO2 integration with our platform and that got a huge applause from the audience (and the folks in the audience really understand the importance of this)

Techorama Belgium

I finally got the chance to present and attend Techorama in Belgium (1700 attendees). Together with my colleague Kyle Marsh we delivered a paid pre-conf 1 day developer workshop. And I presented a session at the conference. This conference was very well organized and it was great to see a lot of familiar faces and catch up. Fortunately I am presenting at Techorama in NL in October as well.

NDC Oslo

This was one of the best organized events I have ever been. Especially the food the entire day was smart, no huge lines during lunch rush hour. Also a ton of familiar faces and tons of very well known speakers. I hope I can get on stage for this conference in the future. I attended a workshop from Brock Allen on ASP.Net middleware and Identity Server. One of the better trainings I ever attended and got me a ton of knowledge on our own platform as well. I returned home with a lot of questions on how and why we implemented certain features in Azure Active Directory Smile

People

What I like most about this job is meeting new and familiar people. I love working with (enterprise) developers. And being on the road again helps me meet so many of you. I learn a ton. As part of my job is not only be the developer voice of our Identity organization, it’s also bringing back feedback and insights. Every time I talk to a developer I learn something new (or get confirmation off something we already knew).

Coming time

Part of the job is also a ton of customer/ISV meetings and calls to talk and help through different architectural discussions. How do you do X, how do I add external identities. What’s the best way to developer multi-tenant solitions etc. We also support our internal teams at Microsoft. Still cool if you have a call with some developers from Minecraft and you are able to come up with an architecture they need to implement a certain requirement.

The coming time I am focusing on creating more developer training content. We are scaling up our efforts to also train more field people (MS colleagues who also need to talk about security with our customers) on our developer content. I plan to submit to more conferences to try to get a speaking slot. We will create more developer content in a box which can be used by field and MVPs to redeliver the training we have been delivering all over the world. Although the content is still changing we think we are currently in a fairly good spot.

I also want to create a few blog posts with little nuggets of information and things I learned. I hoped to do that more during my learning process but to be honest. I have been very very busy to ramp up and deliver the content all over the world I didn’t find time to do that.

1 thing I didn’t expect with all the travel is how much tired I would be. When traveling you think, I have so much time in the plane. When I am at the location I have so much time at night since I am not at home, but most of the time I am just tired, jet-lagged, hungry. Tons of preparations to do for the trainings and presentations. The work from Redmond with all the calls and customer calls continue when you are traveling too. So you make tons of ours and just a few hours of sleep a night before heading back to home and try to have a social and family live and perhaps spend some time continue the remodel which is not finished yet Smile.

We signed up for 20 cities for Ignite the tour this year (Tokyo, Singapore are new cities for me). We divided it with the 2 of us. So hopefully we can hire new people to join us for this tour to lessen the burden on travel time a bit. On the other hand, this gives me the opportunity to travel to Australia again for example and visit my buddy Roel. There are absolutely benefits of travelling the world.

So far it had been a great experience, I learned a ton. Sandra and Lisa have been great supporters. Fortunately we can hire 2 more persons in the team which should help cut back some of the travel which has been a bit crazy.