Insufficient privileges to complete the operation - PowerShell Creating Azure Ad Apps fails

Question

I have an Azure DevOps CI/CD wherein I have a PowerShell script to create a new Azure Ad App. Although the Service Principle has permissions granted against the following Graph APIs, yet, it fails with the following exception.

2020-12-14T11:49:55.0146669Z ##[error]Error occurred while executing GetApplications Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. RequestId: 1130fbec-3eec-4c8e-a2dd-e134f2c4621f DateTimeStamp: Mon, 14 Dec 2020 11:49:54 GMT HttpStatusCode: Forbidden HttpStatusDescription: Forbidden HttpResponseStatus: Completed

The API permissions that I have for the Service Principle are:

I use the following script to connect to Azure AD from the pipeline and create the Azure Ad App using PowerShell

Install-Module AzureAD -Force -Verbose -Scope CurrentUser
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken

Connect-AzureAD -MsAccessToken $graphToken -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id

$ApiAppGuid = New-Guid
$ApiAppStartDate = Get-Date
$vvApiAppName = "dev0-vv-api"
# >>>>>> it must be failing here when trying to get the applications...
$appExists = ($vvApiApp = Get-AzureADApplication -Filter "DisplayName eq '$($vvApiAppName)'"  -ErrorAction SilentlyContinue)
#... rest of the code that call New-AzureADApplication 

Also, when I put the $graphToken in jwt.io , it correctly shows the API permissions I've assigned to the Service Principle from Azure Portal.

I have no idea why it keeps failing despite the permissions consents granted. Any ideas highly appreciated - this is now almost taking a day.

Answer 1

As I suspected, Get-AzureADApplication uses Azure AD Graph API, and it is likely the given MS Graph API application permissions do not work there. Some permissions do work in AAD Graph as well, but if it is a permission that was created later, it won't be supported.

So the solution is to use Get-AzureADMSApplication instead, which uses the MS Graph API. Most scripts should be switched to use these any way since AAD Graph API is being deprecated.