CODEWITHSUNDEEP
azureazure-active-directory
Krishnan.D
Krishnan.D

Reputation: 78

Azure Active Directory - supporting multi-tenant consented app scenario

Scenario: I'm developing a multi-tenant consented application leveraging Azure Active Directory. The application can be thought of as a closed loop star network. I would like to do the following: 1. Whitelist tenants that can "see" my app at design time. 2. Enable cert based authentication - In a single tenant this would be straight-forward. However, I'm a little confused what it means in the multi-tenant scenario. Each app( i.e., organization) brings its own certificate. In a S2S scenario, the nodes in the client organization's tenant nodes would have these certs installed and the keyCredential for the client organization's AAD application would have the public key token configured. How then does this claim get validated on the target "Resource" application that resides in an entirely different tenant.? 3. I expose a oAuth2Permissions in my application and would like to automate the scenario using PowerShell. I have sample code that does somethign alone the lines of:

$serviceApplication = New-AzureRmADApplication -DisplayName <AADApplicationName> -AvailableToOtherTenants $true -IdentifierUris $serviceAppIdUri `


$aad_oAuth2Perm_ReadModel = 
[Microsoft.Open.AzureAD.Model.OAuth2Permission]::New()
$aad_oAuth2Perm_ReadModel.AdminConsentDescription = ($adminConsentDisplay -f  "Model")
$aad_oAuth2Perm_ReadModel.AdminConsentDisplayName = ($adminConsentDisplay -f  "Model")
$aad_oAuth2Perm_ReadModel.Id = [guid]::NewGuid().Guid.ToString()
$aad_oAuth2Perm_ReadModel.IsEnabled = $true
$aad_oAuth2Perm_ReadModel.Type = 'User'
$aad_oAuth2Perm_ReadModel.UserConsentDescription = ($userConsentDisplay -f  "Model")
$aad_oAuth2Perm_ReadModel.UserConsentDisplayName = ($userConsentDisplay -f  "Model")
$aad_oAuth2Perm_ReadModel.Value = "Read.Model"
$aad_oAuth2Permissions.Add($aad_oAuth2Perm_ReadModel) 

Set-AzureADApplication -ObjectId $serviceApplication.ObjectId.Guid.ToString() `                    
-Oauth2Permissions $aad_oAuth2Permissions

The Set-AzureADApplication call always fails with this error below

Set-AzureADApplication : Error occurred while executing SetApplication Code: Request_BadRequest Message: Property value cannot be deleted unless it is disabled first.

I believe I might have to delete the default "user_impersonation" oAuth2Permission that is created with the New-AzureRmADApplication call but none of what I've tried works. How do I go about deleting specific oAuth2Permissions or replace them with Set-AzureADApplication ?

Upvotes: 2

Views: 272

Answers (1)

Shawn Tabrizi
Shawn Tabrizi

Reputation: 12434

The problem here is that new applications come with a default OAuth 2 Permission, and you are trying to SET a brand new permission without including the old default permission, which is the same as a DELETE operation.

One solution would be to read all the existing OAuth 2 Permissions on the application, and then add your new permission along side the existing ones, and then do the SET call. This will then avoid the "delete" call that is going on.

The other option is to do as the API is warning you. There is an existing OAuth 2 Permission, which needs to be IsEnabled=$false before it can be deleted. You can, before trying to add a new permission, read in the old permission, disable the permission, then delete it.

I believe either of this solutions will work to resolve your specific error message. To be completely clear, I did not really understand your scenario, so I do not know if even after you solve this problem, you will accomplish your ultimate goal.

Let me know if this helps.

Upvotes: 1

Related Questions