Reputation: 56
Problem with setting preAuthorizedApplications in Azure app registration with Az Powershell 7.1.0
I have a problem with automating the setting of the preAuthorizedApplications for a Azure app registration from Az powershell 7.1.0. The code is making a transition to the MS Graph api's, but the syntax of the preAuthorizedApplications is not clear to me. Everything i found on the net, i tried. But nothing works and keeps erroring out.
I created a piece of test code and a test app registration:
Get-AzADApplication -ApplicationId 956afe7b-f58f-4de5-83ea-02035cc98b3f # Just to get the Types
$PreAuthPrem1 = New-Object -TypeName "Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Models.ApiV10.MicrosoftGraphPreAuthorizedApplication" $PreAuthPrem1.AppId = "1fec8e78-bce4-4aaf-ab1b-5451cc387264" $PreAuthPrem1.DelegatedPermissionId = "d3a943ac-ea3b-4271-b750-abcd91b01162"
Update-AzADApplication -ApplicationId 956afe7b-f58f-4de5-83ea-02035cc98b3f -api @{"preAuthorizedApplications" = $PreAuthPrem1} -debug
It keep giving me the same error, what is not very helpfull:
Line | 549 | Az.MSGraph.internal\Update-AzADApplication @PSBoundParameters | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Property preAuthorizedApplications in payload has a value that does not match schema.
The request to MS graph is below (taken from the debug command)
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method: PATCH
Absolute Uri: https://graph.microsoft.com/v1.0/applications/ccd14ce8-1afe-45b3-a461-777d3129399b
Headers: x-ms-unique-id : 6 x-ms-client-request-id : cb41d352-4b67-4142-8795-9b77bf9b057a CommandName : Az.MSGraph.internal\Update-AzADApplication FullCommandName : Update-AzADApplication_UpdateExpanded ParameterSetName : __AllParameterSets User-Agent : AzurePowershell/v0.0.0,Az.MSGraph/5.2.0
Body: { "api": { "preAuthorizedApplications": "{\r\n "appId": "1fec8e78-bce4-4aaf-ab1b-5451cc387264",\r\n "delegatedPermissionIds": [ "d3a943ac-ea3b-4271-b750-abcd91b01162" ]\r\n}" } }
I found documentation to with says it should be delegatedPermissionIds but also that is should be permissionIds. Both do not work for me
https://learn.microsoft.com/en-us/graph/api/resources/preauthorizedapplication?view=graph-rest-1.0
Also it tried other ways of setting the body to not include the specials characters but everything just keeps giving the same error.
Also updated the az powershell (to 7.1.0) and powershell itself (7.2.1 core)
Also tried with azure ClI
$appObjectId='956afe7b-f58f-4de5-83ea-02035cc98b3f'
az rest -m PATCH -u https://graph.microsoft.com/v1.0/applications/$appObjectId --headers Content-Type=application/json -b '{"api":{"preAuthorizedApplications":[{"appId":"1fec8e78-bce4-4aaf-ab1b-5451cc387264","permissionIds":["d3a943ac-ea3b-4271-b750-abcd91b01162"]}]}}'
Bad Request({"error":{"code":"BadRequest","message":"Unable to read JSON request payload. Please ensure Content-Type header is set and payload is of valid JSON format.","innerError":{"date":"2022-01-31T06:23:44","request-id":"2ac51323-4f9b-4da8-8ec8-1187e4b73a59","client-request-id":"2ac51323-4f9b-4da8-8ec8-1187e4b73a59"}}})
Looks like the same problem
Upvotes: 0
Views: 1223
Answers (2)
Reputation: 56
This is the code that worked in my Devops pipeline. I gave the service principle the rights and enabled access on to the token.
$Body = @"
{
"api": {
"preAuthorizedApplications": [
{
"appId": "1fec8e78-bce4-4aaf-ab1b-5451cc387264",
"permissionIds": [
"d3a943ac-ea3b-4271-b750-abcd91b01162"
]
}
]
}
}
"@
$Uri = 'https://graph.microsoft.com/beta/applications/ccd14ce8-1afe-45b3-a461-777d3129399b'
$method = 'PATCH'
$Token = (Get-AzAccessToken -ResourceTypeName MSGraph).Token
$Header = @{
Authorization = "Bearer $Token"
}
Invoke-WebRequest -Uri $Uri -Method $method -Headers $Header -ContentType 'application/json' -Body $Body
Upvotes: 0
Reputation: 4893
We have tried the same in our environment as an alternate solution we can try Graph Explorer .
To do that we have to get our Oauth2Permissions id from manifest or by running the below code we can get :
az ad app show --id $appId --query "oauth2Permissions[].id"
Now we need to use graph explorer to achieve the above requirement by mention the following in our request body by using below method:
Patch : https://graph.microsoft.com/beta/applications/<appObjectId>
Request body :
{
"api": {
"preAuthorizedApplications": [
{
"appId": "authorizedappClientID",
"permissionIds": [
"oauth2PermissionId"
]
}
]
}
}
Provide the object id of the application in above given URI.
Allow the following consent > Modify permission
And check your permission ID by navigate to manifest if that is correct or not.
OUTPUT:-
For use az rest please refer this SO THREAD .
Upvotes: 0
Related Questions
- Cannot set OAuth2Permissions for Azure Application Registration in Graph PowerShell
- Azure AD - Cannot set Application Registration Key Credential with Type "Sign"
- Powershell AzureAD App Registration Permissions New-AzureADApplication -RequiredResourceAccess
- Add Graph API via az ad app permission fails
- Create azure application through Az module and assign API permissions using powershell
- Cannot set "preAuthorizedApplications" object in new App registrations module through Azure Powershell
- Azure AD App Registration via Powershell: How to ensure the proper permissions?
- What is the correct syntax for Powershell AzureADPreview cmdlet Set-AzureADApplication "PreAuthorizedApplications" parameter?
- Microsoft Graph API - app in powershell - forbidden response
- Authenticate to Microsoft Graph api using powershell