I have an Azure DevOps CI/CD wherein I have a PowerShell script to create a new Azure Ad App. Although the Service Principle has permissions granted against the following Graph APIs, yet, it fails with the following exception.
2020-12-14T11:49:55.0146669Z ##[error]Error occurred while executing GetApplications Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. RequestId: 1130fbec-3eec-4c8e-a2dd-e134f2c4621f DateTimeStamp: Mon, 14 Dec 2020 11:49:54 GMT HttpStatusCode: Forbidden HttpStatusDescription: Forbidden HttpResponseStatus: Completed
The API permissions that I have for the Service Principle are:
I use the following script to connect to Azure AD from the pipeline and create the Azure Ad App using PowerShell
Install-Module AzureAD -Force -Verbose -Scope CurrentUser
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken
Connect-AzureAD -MsAccessToken $graphToken -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id
$ApiAppGuid = New-Guid
$ApiAppStartDate = Get-Date
$vvApiAppName = "dev0-vv-api"
# >>>>>> it must be failing here when trying to get the applications...
$appExists = ($vvApiApp = Get-AzureADApplication -Filter "DisplayName eq '$($vvApiAppName)'" -ErrorAction SilentlyContinue)
#... rest of the code that call New-AzureADApplication
Also, when I put the $graphToken
in jwt.io
, it correctly shows the API permissions I've assigned to the Service Principle from Azure Portal.
I have no idea why it keeps failing despite the permissions consents granted. Any ideas highly appreciated - this is now almost taking a day.
As I suspected, Get-AzureADApplication
uses Azure AD Graph API, and it is likely the given MS Graph API application permissions do not work there. Some permissions do work in AAD Graph as well, but if it is a permission that was created later, it won't be supported.
So the solution is to use Get-AzureADMSApplication
instead, which uses the MS Graph API. Most scripts should be switched to use these any way since AAD Graph API is being deprecated.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.