CODEWITHSUNDEEP
azure-active-directoryazure-ad-b2cazure-powershell
Nadia Hansen
Nadia Hansen

Reputation: 947

Cannot find type Microsoft.Open.AzureAD.Model.ResourceAccess when using graph.microsoft.com

I am trying to add the required API permissions to my application using this script. The Azure AD module is not working in the version of powershell i am using (powershell 7 (x86)), so instead I am using the graph.microsoft.com API. The problem is that when I run it, it comes with errors saying "Cannot find type System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]: verify that the assembly | containing this type is loaded." and same with the RequiredResourceAccess.

so the problem is here. how do it get it to find the type og use the ResourceAccess.

 $ResourceAccessObjects = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
    foreach ($RoleAssignment in $RoleAssignments) {
        $resourceAccess = New-Object "microsoft.open.azuread.model.resourceAccess"
        $resourceAccess.Id = $RoleAssignment.Id
        $resourceAccess.Type = 'Role'
        $ResourceAccessObjects.Add($resourceAccess)
    }
    $requiredResourceAccess = New-Object "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
    $requiredResourceAccess.ResourceAppId = $targetSp.AppId
    $requiredResourceAccess.ResourceAccess = $ResourceAccessObjects

The whole script

Connect-AzAccount
$AADToken = (Get-AzAccessToken -ResourceUrl "Https://graph.microsoft.com").Token

Function GrantAllThePermissionsWeWant
{
    param
    (
        [string] $targetServicePrincipalName,
        $appPermissionsRequired,
        $appId,
        $spForApp
    )
    }
    $restSplat = @{
    Method  = "GET"
    uri     = "https://graph.microsoft.com/v1.0/servicePrincipals?`$filter=displayName eq '$targetServicePrincipalName'"
    headers = @{"Authorization" = "Bearer $AADToken"; "Content-Type" = "application/json" }
    }

    $targetSp = Invoke-RestMethod @restSplat | ConvertTo-Json
    $RoleAssignments = @()
    Foreach ($AppPermission in $appPermissionsRequired) {

        $RoleAssignment = $targetSp.AppRoles | Where-Object { $_.Value -eq $AppPermission}

        $RoleAssignments += $RoleAssignment

    }

    $ResourceAccessObjects = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
    foreach ($RoleAssignment in $RoleAssignments) {
        $resourceAccess = New-Object "microsoft.open.azuread.model.resourceAccess"
        $resourceAccess.Id = $RoleAssignment.Id
        $resourceAccess.Type = 'Role'
        $ResourceAccessObjects.Add($resourceAccess)
    }
    $requiredResourceAccess = New-Object "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
    $requiredResourceAccess.ResourceAppId = $targetSp.AppId
    $requiredResourceAccess.ResourceAccess = $ResourceAccessObjects

# set the required resource access
    Set-AzureADApplication -ObjectId $appId.ObjectId -RequiredResourceAccess $requiredResourceAccess
    Start-Sleep -s 1

    # grant the required resource access
        foreach ($RoleAssignment in $RoleAssignments) {
            Write-Output -InputObject ('Granting admin consent for App Role: {0}' -f $($RoleAssignment.Value))
            New-AzureADServiceAppRoleAssignment -ObjectId $spForApp.ObjectId -Id $RoleAssignment.Id -PrincipalId $spForApp.ObjectId -ResourceId $targetSp.ObjectId
            Start-Sleep -s 1
        }



$appId = '(appid)'

$appPermissionsRequired = @('Directory.Read.All')
$targetServicePrincipalName = '(spname)'
GrantAllThePermissionsWeWant -targetServicePrincipalName $targetServicePrincipalName -appPermissionsRequired $appPermissionsRequired -appId $appId -spForApp $targetSp

I havent got to the part where "Set-AzureADApplication" is an call to the graph.microsoft.com API instead so please ignore that part.

Upvotes: 0

Views: 2354

Answers (2)

anon
anon

Reputation:

Comparing with Powershell task, Azure Powershell task contains some az modules by default:

Azure/AzureRM/Az PowerShell Module is used by Azure PowerShell task to communicate with Azure Subscription.

Because the AzureAD module is not automatically included in PowerShell, you are receiving a cannot find type error.

Below commands helps you in installing the AzureAD module.

Install-Module AzureAD -Scope CurrentUser -Force

Import-Module AzureAD -Force

$graphPerms = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"

Install and then import the module at the start of your script and the issue will be fixed.

Upvotes: 3

Nadia Hansen
Nadia Hansen

Reputation: 947

My solution was this:

foreach ($RoleAssignment in $RoleAssignments) {
            $restSplat = @{
                Method  = "PATCH"
                uri     = "https://graph.microsoft.com/v1.0/applications/$($appId)"
                headers = @{"Authorization" = "Bearer $AADToken"; "Content-Type" = "application/json" }
                body    = @{ 
                    requiredResourceAccess = @(
                        @{
                            resourceAppId  = $targetSp.appId
                            resourceAccess = @(
                                @{
                                    id   = $RoleAssignment.Id
                                    type = "Role"
                                }
                            )
                        }    
                    )
                } | ConvertTo-Json -Depth 4
            } 
            $rest = (Invoke-RestMethod @restSplat).Value

Now I just need to grant the required resource access with Graph.microsoft.com too.

Upvotes: 0

Related Questions