2

I'm currently creating my applications on Azure Active directory manually whenever there is a request for a new environment. I was exploring ways to create these applications from the code via REST API. I had success in creating users and groups on existing applications by using 'client_credentials' as shown.

ClientCredential clientCred = new ClientCredential(clientID, clientSecret);
AuthenticationResult authenticationResult = await authenticationContext.AcquireTokenAsync(resAzureGraphAPI, clientCred);

In similar fashion I tried to use the 'access_token' generated from above to create a new application adClient.Applications.AddApplicationAsync(newApplication).Wait()

But this throws an error- "Insufficient privileges to complete the operation."

I looked at other threads and the Azure AD msdn page and turns out the client_credentials flow does not support creating/updating applications.

Adding Applications programmatically in Azure AD using Client Credentials Flow

The above thread also mentioned that way to workaround it was by using the 'grant_type=password' flow. I tried it as suggested but I keep getting the following error which doesn't make sense to me.

"error": "invalid_grant",
    "error_description": "AADSTS50034: To sign into this application the account must be added to the 1283y812-2u3u-u293u91-u293u1 directory.\r\nTrace ID: 66da9cf9-603f-4f4e-817a-cd4774619631\r\nCorrelation ID: 7990c26f-b8ef-4054-9c0b-a346aa7b5035\r\nTimestamp: 2016-02-21 23:36:52Z",
    "error_codes": [
        50034
    ],

Here is the payload and the endpoint that I'm hitting. The user that is passed is the owner of the AD where I want to create the application

endpoint:https://login.windows.net/mytenantID/oauth2/token

post data
resource    00000002-0000-0000-c000-000000000000
client_id   id
client_secret   secret
grant_type  password
username    principal@mydomain.com
password    password
scope       openid

Any thoughts or suggestions of where I might be going wrong would be appreciated.

Community
  • 1
  • 1
Srikanth
  • 125
  • 2
  • 11

3 Answers3

0

You can use PowerShell to create your apps:

$servicePrincipalName =”Your Client App Name”
$sp = New-MsolServicePrincipal -ServicePrincipalNames $servicePrincipalName -DisplayName $servicePrincipalName -AppPrincipalId “Your Client ID"
New-MsolServicePrincipalCredential -ObjectId $sp.ObjectId -Type Password -Value “Your client secret”
Add-MsolRoleMember -RoleObjectId “62e90394-69f5-4237-9190-012177145e10" -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId

The role denoted by 62e90394-69f5-4237-9190-012177145e10 is the Admin role, and this can be adjusted as required to the ObjectId of any other role. Run Get-MsolRole to get a list of roles and ObjectIds.

You could then run this code from your App or run it manually. You will also need to run your connection code before the above, something along the lines of:

$loginAsUserName = "Your Tenancy Admin Account"
$loginAsPassword = "Your Tenancy Admin Account Password"

$secpasswd = ConvertTo-SecureString $loginAsPassword -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ($loginAsUserName, $secpasswd)

Connect-MsolService -Credential $creds
Andy
  • 84
  • 5
  • I first connected by logging in with `Connect-MsolService`. `Get-MsolRole` listed a bunch of roles and their names. Then I wanted to check my role. so I fired `Get-MsolUserRole -UserPrincipalName test@mydomain.com`. This returned empty. When I got to creating a `New-MsolServicePrinicpal` I always get the error - _Access denied. you do not have permission to access this cmdlet._ – Srikanth Feb 25 '16 at 09:52
0

I was able to create the application in my tenant. The AD tenant which I was using to create the application under was verified for a different domain. Basically I ended up plugging in an user from that domain and using the resource_type=password flow was able to generate an access token. Next, firing the following lines of code did the trick

 ActiveDirectoryClient adClient = new ActiveDirectoryClient(
                serviceRoot,
                AccessToken);
adClient.Applications.AddApplicationAsync(newApplication).Wait();
Srikanth
  • 125
  • 2
  • 11
0

Check the following things which seem to be a little off in your POST to the OAuth Token endpoint:

  • When wanting access to the Graph API of your Azure AD, you will need to pass https://graph.windows.net as the resource body parameter; this is (imho) not well documented, but that's what you need to do
  • As client_id and client_secret you need to pass the Client ID and the Key of a predefined Application inside your Azure AD which in turn you have granted permissions on a per user level to; these need to be sufficient to add applications
  • The scope parameter is not used, I think; you will get the claims you defined inside the Azure AD management portal back (the assigned permissions for your application)

This should render you an access token you can then subsequently use on the https://graph.windows.net/tenantId/ end points.

halfer
  • 19,824
  • 17
  • 99
  • 186
donmartin
  • 1,753
  • 2
  • 15
  • 30