search

AzureAD / azure-activedirectory-powershell

This is a repo for Azure AD PowerShell scrips and samples
30 stars 27 forks source link

Unable to add Application Permissions to App Registration #15

Open desireewilliams opened 4 years ago

desireewilliams commented 4 years ago

Hello,

When trying to add Application Permissions to an App Registration, I am running into an issue where the permission is added as a GUID and is unable to verified.

For example, adding the Microsoft Graph Directory.Read.All permission, I am running the following:

Get the service principal

$graph = Get-AzureADServicePrincipal -SearchString "Microsoft Graph"

Create the access opject

$readAll = New-Object Microsoft.Open.AzureAd.Model.ResourceAccess

Application permission instead of delegated

$readAll.Type = "Role"

Permission ID

$readAll.Id = ($graph.Oauth2Permissions | where {$_.Value -eq 'Directory.Read.All'}).Id

$graphRequiredAccess = New-Object Microsoft.Open.AzureAd.Model.RequiredResourceAccess $graphRequiredAccess.ResourceAppId = $graph.AppId $graphRequiredAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess] $graphRequiredAccess.ResourceAccess.Add($readAll)

$requiredPermissions = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAd.Model.RequiredResourceAccess] $requiredPermissions.Add($graphRequiredAccess)

create the application

$app = New-AzureADApplication -DisplayName "Test Application" -AvailableToOtherTenants $false -RequiredResourceAccess $requiredPermissions

This creates the following permission in the app: image

When attempting to validate through the web interface, I get the following: image

I've tried the New-AzureADServiceAppRoleAssignment as well, but get an error when I try to use the ID of the required resource. The only way I can get the command to complete is with the following:

create the service principal to assign application permissions to

$sp = New-AzureADServicePrincipal -AppId $app.AppId

assign the permissions to the service prinicpal

foreach ($requiredApp in $app.RequiredResourceAccess) { New-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -PrincipalId $sp.ObjectId ` -ResourceId ($sps | where {$_.AppId -eq $requiredApp.ResourceAppId}).ObjectId -Id ([Guid]::Empty) }

It still generates the Consent Validation Failed message from above.

From what I can see, none of these cmdlets have examples loaded into them, in either a Docs page or using the Get-Help -examples commands.

As a note, I tried using the Azure Bash CLI commands of az ad app permission grant --id 00000000-0000-0000-0000-000000000000 --api 0000-0000-c000-000000000000 --api-permission 06da0dbc-49e2-44d2-8312-53f166ab848a=Scope generates the same result in the web interface as the screen shot above, with the same Consent Validation Failed message when trying to grant access.

Let me know if I can provide any further information.

Kitwradr commented 3 years ago

you can try granting admin consent via code - but for this you have to login as admin of the tenant

$appId = $newApp.AppId
$token = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $TenantId, $null, "Never", $null, "74658136-14ec-4630-ad9b-26e160ff0fc6")
$headers = @{
    'Authorization' = 'Bearer ' + $token.AccessToken
    'X-Requested-With'= 'XMLHttpRequest'
    'x-ms-client-request-id'= [guid]::NewGuid()
    'x-ms-correlation-id' = [guid]::NewGuid()}
$url = "https://main.iam.ad.ext.azure.com/api/RegisteredApplications/$appId/Consent?onBehalfOfAll=true"
Invoke-RestMethod -Uri $url -Headers $headers -Method POST -ErrorAction Stop