How to add Owners to an Azure Active Directory Application

Question

I am registering AAD Applications through the following code

ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(serviceRoot, async () => await GetAppTokenAsync());

            Application application = new Application()
            {
                AvailableToOtherTenants = false,
                DisplayName = appName,
                ErrorUrl = null,
                GroupMembershipClaims = null,
                Homepage = "http://"+appName,
                IdentifierUris = new List<string>() { "https://"+appName }, 
                KeyCredentials = new List<KeyCredential>(),
                KnownClientApplications = new List<Guid>(),
                LogoutUrl = null,
                Oauth2AllowImplicitFlow = false,
                Oauth2AllowUrlPathMatching = false,
                Oauth2Permissions = new List<OAuth2Permission>(),
                Oauth2RequirePostResponse = false,
                // PasswordCredentials = new List<PasswordCredential>(),
                PasswordCredentials = new List<PasswordCredential>(),
                PublicClient = false,
                ReplyUrls = new List<string>(),
                // RequiredResourceAccess = new List<RequiredResourceAccess>(),
                RequiredResourceAccess = new List<RequiredResourceAccess>(),
                SamlMetadataUrl = null,
                ExtensionProperties = new List<ExtensionProperty>(),
                Manager = null,
                ObjectType = "Application",
                DeletionTimestamp = null,
                CreatedOnBehalfOf = null,
                CreatedObjects = new List<DirectoryObject>(),
                DirectReports = new List<DirectoryObject>(),
                Members = new List<DirectoryObject>(),
                MemberOf = new List<DirectoryObject>(),
                Owners = new List<DirectoryObject>(),
                OwnedObjects = new List<DirectoryObject>(),
                Policies = new List<DirectoryObject>()
            };

I also have an object of type Microsoft.Azure.ActiveDirectory.GraphClient.User which contains all the information of a User that I want to add as owner of the application.

How can I do that?

The way I was trying that is by doing this

activeDirectoryClient.Applications.AddApplicationAsync(application).Wait();

            ServicePrincipal newServicePrincpal = new ServicePrincipal();
            if (application != null)
            {
                newServicePrincpal.DisplayName = application.DisplayName;
                newServicePrincpal.AccountEnabled = true;
                newServicePrincpal.AppId = application.AppId;
                newServicePrincpal.Owners.Add(user);

                try
                {
                    activeDirectoryClient.ServicePrincipals.AddServicePrincipalAsync(newServicePrincpal).Wait();
                }
                catch (Exception e)
                {
                    Console.WriteLine(e.Message);
                }
            }

But when I navigate to the application manually in the Azure Portal, the only owner that appears is my own account and not also the other account I got in the user variable

Any idea how to add other owners to the application?

Answer 1

I can reproduce this issue too. The root cause for this issue is that the Azure AD Graph library doesn't provide the owner info when it try to create the service principal.

If you want to add the owner for the service principal , you can use code below after you creating the service principal:

var activeDirectoryClient = GraphHelper.CreateGraphClient();
var sp = (ServicePrincipal)activeDirectoryClient.ServicePrincipals.GetByObjectId("4af8365b-1b49-481c-8c47-7b3fab5611fc").ExecuteAsync().Result;
var user = new Users().GetUserByUserName(activeDirectoryClient, "user2@adfei.onmicrosoft.com").Result;
sp.Owners.Add(user);
sp.UpdateAsync();

And if you want to add the owner of application , here is the code for you reference:

var activeDirectoryClient = GraphHelper.CreateGraphClient();
var app = (Application)activeDirectoryClient.Applications.GetByObjectId("bd87934b-dd4f-446a-a025-7675d1b2464a").ExecuteAsync().Result;
var user = new Users().GetUserByUserName(activeDirectoryClient, "user2@adfei.onmicrosoft.com").Result;
app.Owners.Add(user);
app.UpdateAsync();

More detail about the difference between application and service principal please check this document .

And if you want the Graph client library to support adding the owner when creating the them, you can try to submit the feedback from here .

Update

public static ActiveDirectoryClient CreateGraphClient()
{
    string accessToken = "";
    string tenantId= "";
    string graphResourceId = "https://graph.windows.net";

    Uri servicePointUri = new Uri(graphResourceId);
    Uri serviceRoot = new Uri(servicePointUri, tenantId);

    ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(serviceRoot, async () => await Task.FromResult(accessToken));

    return activeDirectoryClient;
}

Add a runalbe code sample to add an owner for the service principal: https://github.com/VitorX/AddServicePrincipalWithOwner

Update2

After you run the code sample in the above, you could capture the result using the Fiddler like below. And we can get the object id of service principal via the response of creating the service principal:

Then we can check the owners of principals via the REST like figure below: