0

I've created an registered app in Azure and I'be given the following API permissions for Graph API as follows: 

**
Directory.ReadWrite.All
Policy.Read.All 
Policy.ReadWrite.TrustFramework
User.Invite.All
User.Read
**

My plan is to add an allow list to the Azure B2B directory and then invite the guest user to my directory using the service principle i created above.

With the above permissions , I can read the current policy and send the invite to the guest user. But, I cannot append the exiting allowed domain list in my B2B directory.

Each time i try to update the existing policy I'm getting access denied as shown below:

**
Set-AzureADPolicy -Definition $policyValue -Id $currentpolicy.Id | Out-Null**

Error

Set-AzureADPolicy : Error occurred while executing SetPolicy 
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
InnerError:
  RequestId: 4f161b70-f71c-4507-8b91-788457429fcc
  DateTimeStamp: Wed, 08 Apr 2020 16:57:39 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:1
+ Set-AzureADPolicy -Definition $policyValue -Id $currentpolicy.Id | Ou ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Set-AzureADPolicy], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.SetPolicy

Does anyone had any ideas what is missing here?

Also can i confirm this operation is supported with Graph API at the moment?

Thanks Balaip

Balaip
  • 31
  • 4
  • It may caused by the role of your login account in AD, please assign a global administrator role to your account and then Connect-AzureAD and do the Set-AzureADPolicy operation. – Hury Shen Apr 10 '20 at 09:29
  • Hi Hury, thanks for getting back to me. Im aware that this works with global admin role but I’m trying this using a service principle and I’ve given the azure ad graph api permissions. Does updating AzureADPolicy is supported with connecting to Azure AD with a service principle or I must use Global admin role for this? – Balaip Apr 10 '20 at 16:37
  • Hi Balaip, I have provided the solution below. If the solution helps your problem, please [accept](https://stackoverflow.com/help/someone-answers) it as answer(click on the check mark beside my answer to toggle it from greyed out to filled in). Thanks in advance~ – Hury Shen Apr 13 '20 at 04:37

1 Answers1

0

According to some test, I just add the other three permissions under "Policy" to the app you registered. And then I can use Set-AzureADPolicy command success(with connecting to Azure AD with a service principle). enter image description here

Update:

I provide all of the steps for your reference:

1. Run the command below in powershell

# Login to Azure AD PowerShell With Admin Account
Connect-AzureAD 

# Create the self signed cert
$currentDate = Get-Date
$endDate  = $currentDate.AddYears(1)
$notAfter  = $endDate.AddYears(1)
$pwd  = "xxxxxxx"
$thumb = (New-SelfSignedCertificate -CertStoreLocation cert:\localmachine\my -DnsName com.foo.bar -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $notAfter).Thumbprint
$pwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText
Export-PfxCertificate -cert "cert:\localmachine\my\$thumb" -FilePath c:\temp\examplecert.pfx -Password $pwd

# Load the certificate
$cert  = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("C:\temp\examplecert.pfx", $pwd)
$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData())


# Create the Azure Active Directory Application
$application = New-AzureADApplication -DisplayName "huryttt1234" -IdentifierUris "https://huryttt1234"
New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier "Huryttt1234" -StartDate $currentDate -EndDate $endDate -Type AsymmetricX509Cert -Usage Verify -Value $keyValue

# Create the Service Principal and connect it to the Application
$sp = New-AzureADServicePrincipal -AppId $application.AppId

2. Now I go to the new application(Huryttt1234) in AD on Azure portal and add the five permissions to it, and grant admin consent to it.

3. Then run command below:

# Get Tenant Detail
$tenant = Get-AzureADTenantDetail
# Now you can login to Azure PowerShell with your Service Principal and Certificate
Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId  $sp.AppId -CertificateThumbprint $thumb

Get-AzureADPolicy -Id xxxxxxxxxxxxxxxxxxxx

Set-AzureADPolicy -Definition @('{"TokenLifetimePolicy":{"Version":1,"MaxInactiveTime":"20:00:00"}}') -Id xxxxxxxxxxxxxxxxxxxx | Out-Null

I can run the bottom two lines(the get operation and set operation) successfully.

Hury Shen
  • 14,948
  • 1
  • 9
  • 18
  • Thank you @Hury Shen. Still no luck with all the policies you suggested. I tested with both Application and Delegate type but still I'm not able to update this policy - here is the scripts I ran: Set-AzureADPolicy -Definition $policyValue -Id $currentpolicy.Id | Out-Null Does yours is similar to the above? I also tried by given all other API permissions and still I can't update this policy and here is how i connect to Azure AD: Connect-AzureAD -TenantId $tenantId -ApplicationId $AppId -CertificateThumbprint $ThumbprintID – Balaip Apr 13 '20 at 12:51
  • Hi @Balaip I use the same command "Connect-AzureAD" with "CertificateThumbprint" to login. I added the three permissions under Application(not Delegate). May I know if you have grant admin consent for it after add the three permissions ? And I run the "Connect-AzureAD" again to re-connect after add permissions and grant consent. – Hury Shen Apr 14 '20 at 01:30
  • hey @Hury Shen, I can confirm that i granted admin consent and connect back fine with Connect-AzureAD...this is very strange i can read policy and run other operations and only updating Azure AD policy is failing and thats very odd it does only for me. I wonder if you have anything different in place which i don't- i've sent you some screen shot in the answer for your information – Balaip Apr 14 '20 at 08:40
  • @Balaip Have you tried create another service principal (create another app in ad) and use it to connect and do the update operation ? – Hury Shen Apr 14 '20 at 08:48
  • yes, I've tested that actually a few times and still is the same issue – Balaip Apr 14 '20 at 11:41
  • Hi @Balaip I don't know why you always fail to do the `Set-AzureADPolicy` operation. I have updated the answer and provide all of the steps which I did for your reference. Hope it can help your problem. – Hury Shen Apr 15 '20 at 07:37
  • @Balaip I'm sorry that the solution doesn't help you. You can raise a support ticket on azure portal by following the steps on this [page](https://learn.microsoft.com/en-us/azure/azure-portal/supportability/how-to-create-azure-support-request) for the help from azure support team. – Hury Shen Apr 15 '20 at 08:28
  • Thank you @Hury Shen for your updated answer. in your first step did you log in with the global admin? # Login to Azure AD PowerShell With Admin Account Connect-AzureAD .....in my case i don't have global admin access to my client so i was using my account to create this app and then given the API permissions - Consent admin etc using global admin and my client runs that ...so are you staying this opertaion is only supported with logging with the global admin first? – Balaip Apr 15 '20 at 08:34
  • @Balaip I log in with a global admin account at the first step, but you can see in the following steps I re-run the command `Connect-AzureAD` to log in with service principal again. And I also test the problem what you concerned, when I re-connect with service principal, if I don't add any permissions to it, I can't not get or set the policy. After add the permissions, then I can get and set the policy. So I think there is not relation with I log in global admin at the first steps. – Hury Shen Apr 15 '20 at 09:09
  • Thank you @Hury Shen. it looks like I'm not having any luck even with the scripts you kindly provided. So this issue could be related to my tenant. I'll raise this with MS – Balaip Apr 15 '20 at 09:30
  • @Balaip I'm having a similar problem using a service principal. Did you ever find a resolution to your issue? – PNelson Mar 17 '21 at 11:44