search

microsoft / nav-arm-templates

ARM (Azure Resource Manager) templates for Microsoft Dynamics NAV
MIT License
53 stars 55 forks source link

SetupNavContainer.ps1 Cannot bind parameter 'AccessToken'. Cannot convert the value of type "System.String" to type "System.Security.SecureString". #206

Open hhout opened 1 year ago

hhout commented 1 year ago

Hi,

When deploying Azure environments on basis of the nav-arm-templates we ran into an issue in nav-arm-templates/master/SetupNavContainer.ps1

The procedure that creates the Aad Apps for BC is raising the below error:

New-AadAppsForBC Telemetry Correlation Id: 4a9ec360-0353-4dbe-8a6e-ca56f13a45f1
Connect-MgGraph : Cannot bind parameter 'AccessToken'. Cannot convert the "eyJ0e...aSw" value of type "System.String" to type "System.Security.SecureString".
At C:\Program Files\WindowsPowerShell\Modules\bccontainerhelper\5.0.3\AzureAD\New-AadAppsForBc.ps1:82 char:42
+ ...       Connect-MgGraph -AccessToken $bcAuthContext.accessToken | Out-N ...
+                                        ~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Connect-MgGraph], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.Graph.PowerShell.Authentication.Cmdlets.ConnectMgGraph

The procedure uses BcAuthContext to create the Aad Apps for BC in nav-arm-templates/master/SetupNavContainer.ps1:

       try {
            $authContext = New-BcAuthContext -tenantID $aadDomain -credential $Office365Credential -scopes "https://graph.microsoft.com/.default"
            if (-not $authContext) {
                $authContext = New-BcAuthContext -includeDeviceLogin -scopes "https://graph.microsoft.com/.default" -deviceLoginTimeout ([TimeSpan]::FromSeconds(0))
                AddToStatus $authContext.message
                $authContext = New-BcAuthContext -deviceCode $authContext.deviceCode -deviceLoginTimeout ([TimeSpan]::FromMinutes(30))
                if (-not $authContext) {
                    throw "Failed to authenticate with Office 365"
                }
            }
            $AdProperties = New-AadAppsForBC `
                -bcAuthContext $authContext `
                -appIdUri $appIdUri `
                -publicWebBaseUrl $publicWebBaseUrl `
                -IncludeExcelAadApp `
                -IncludeApiAccess `
                -IncludeOtherServicesAadApp `
                -preAuthorizePowerShell

In navcontainerhelper/AzureAD/New-AadAppsForBc.ps1 it tries to connect to MsGraph by using the accessToken but Connect-MgGraph -AccessToken requires a Secure String but $bcAuthContext.accessToken is a String:

 # Connect to Microsoft.Graph
    if (!$useCurrentMicrosoftGraphConnection) {
        if ($bcAuthContext) {
            $bcAuthContext = Renew-BcAuthContext -bcAuthContext $bcAuthContext
            $jwtToken = Parse-JWTtoken -token $bcAuthContext.accessToken
            if ($jwtToken.aud -ne 'https://graph.microsoft.com') {
                Write-Host -ForegroundColor Yellow "The accesstoken was provided for $($jwtToken.aud), should have been for https://graph.microsoft.com"
            }
            Connect-MgGraph -AccessToken $bcAuthContext.accessToken | Out-Null
        }
        else {
            if ($accessToken) {
                Connect-MgGraph -accessToken $accessToken | Out-Null
            }
            else {
                Connect-MgGraph -Scopes 'Application.ReadWrite.All' | Out-Null
            }
        }
    }

As a workaround we resolved the issue for now and changed our local version of nav-arm-templates/master/SetupNavContainer.ps1 to connect first with MgGraph using the Secure String and using this connection via parameter -useCurrentMicrosoftGraphConnection instead of -bcAuthContext:

               $authContext.AccessToken = ConvertTo-SecureString $authContext.AccessToken -AsPlainText -Force
               Connect-MgGraph -AccessToken $AuthContext.accessToken | Out-Null

                $AdProperties = New-AadAppsForBC `
                -appIdUri $appIdUri `
                -publicWebBaseUrl $publicWebBaseUrl `
                -IncludeExcelAadApp `
                -IncludeApiAccess `
                -IncludeOtherServicesAadApp `
                -preAuthorizePowerShell `
                -useCurrentMicrosoftGraphConnection

In this case its successfully creating the app registrations.

freddydk commented 3 months ago

I think this problem was fixed in ContainerHelper since this. Let me know if this is still a problem.

Thanks