0

I have a problem with automating the setting of the preAuthorizedApplications for a Azure app registration from Az powershell 7.1.0. The code is making a transition to the MS Graph api's, but the syntax of the preAuthorizedApplications is not clear to me. Everything i found on the net, i tried. But nothing works and keeps erroring out.

I created a piece of test code and a test app registration:

Get-AzADApplication -ApplicationId 956afe7b-f58f-4de5-83ea-02035cc98b3f # Just to get the Types

$PreAuthPrem1 = New-Object -TypeName "Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Models.ApiV10.MicrosoftGraphPreAuthorizedApplication" $PreAuthPrem1.AppId = "1fec8e78-bce4-4aaf-ab1b-5451cc387264" $PreAuthPrem1.DelegatedPermissionId = "d3a943ac-ea3b-4271-b750-abcd91b01162"

Update-AzADApplication -ApplicationId 956afe7b-f58f-4de5-83ea-02035cc98b3f -api @{"preAuthorizedApplications" = $PreAuthPrem1} -debug

It keep giving me the same error, what is not very helpfull:

Line | 549 | Az.MSGraph.internal\Update-AzADApplication @PSBoundParameters | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Property preAuthorizedApplications in payload has a value that does not match schema.

The request to MS graph is below (taken from the debug command)

DEBUG: ============================ HTTP REQUEST ============================

HTTP Method: PATCH

Absolute Uri: https://graph.microsoft.com/v1.0/applications/ccd14ce8-1afe-45b3-a461-777d3129399b

Headers: x-ms-unique-id : 6 x-ms-client-request-id : cb41d352-4b67-4142-8795-9b77bf9b057a CommandName : Az.MSGraph.internal\Update-AzADApplication FullCommandName : Update-AzADApplication_UpdateExpanded ParameterSetName : __AllParameterSets User-Agent : AzurePowershell/v0.0.0,Az.MSGraph/5.2.0

Body: { "api": { "preAuthorizedApplications": "{\r\n "appId": "1fec8e78-bce4-4aaf-ab1b-5451cc387264",\r\n "delegatedPermissionIds": [ "d3a943ac-ea3b-4271-b750-abcd91b01162" ]\r\n}" } }

I found documentation to with says it should be delegatedPermissionIds but also that is should be permissionIds. Both do not work for me

https://learn.microsoft.com/en-us/powershell/module/az.resources/update-azadapplication?view=azps-7.1.0

https://learn.microsoft.com/en-us/graph/api/resources/preauthorizedapplication?view=graph-rest-1.0

Also it tried other ways of setting the body to not include the specials characters but everything just keeps giving the same error.

Also updated the az powershell (to 7.1.0) and powershell itself (7.2.1 core)

Also tried with azure ClI

$appObjectId='956afe7b-f58f-4de5-83ea-02035cc98b3f'

az rest -m PATCH -u https://graph.microsoft.com/v1.0/applications/$appObjectId --headers Content-Type=application/json -b '{"api":{"preAuthorizedApplications":[{"appId":"1fec8e78-bce4-4aaf-ab1b-5451cc387264","permissionIds":["d3a943ac-ea3b-4271-b750-abcd91b01162"]}]}}'

Bad Request({"error":{"code":"BadRequest","message":"Unable to read JSON request payload. Please ensure Content-Type header is set and payload is of valid JSON format.","innerError":{"date":"2022-01-31T06:23:44","request-id":"2ac51323-4f9b-4da8-8ec8-1187e4b73a59","client-request-id":"2ac51323-4f9b-4da8-8ec8-1187e4b73a59"}}})

Looks like the same problem

Erwin Wiegman
  • 36
  • 5

2 Answers2

0

We have tried the same in our environment as an alternate solution we can try Graph Explorer .

To do that we have to get our Oauth2Permissions id from manifest or by running the below code we can get :

az ad app show --id $appId --query "oauth2Permissions[].id"

enter image description here

Now we need to use graph explorer to achieve the above requirement by mention the following in our request body by using below method:

Patch : https://graph.microsoft.com/beta/applications/<appObjectId>

Request body :

{
    "api": {
        "preAuthorizedApplications": [
            {
                "appId": "authorizedappClientID",
                "permissionIds": [
                    "oauth2PermissionId"
                ]
            }
        ]
    }
}

Provide the object id of the application in above given URI.

  • Allow the following consent > Modify permission

  • And check your permission ID by navigate to manifest if that is correct or not. enter image description here OUTPUT:-

enter image description here enter image description here

For use az rest please refer this SO THREAD .

AjayKumarGhose
  • 4,257
  • 2
  • 4
  • 15
  • Hi Ajay... i already saw this thread, and this does not seem to work for me. I used the following command: az rest --method patch --uri "https://graph.microsoft.com/beta/applications/956afe7b-f58f-4de5-83ea-02035cc98b3f" --headers '{"Content-Type":"application/json"}' --body '{"api":{"preAuthorizedApplications":[{"appId":"5e3ce6c0-2b1f-4285-8d4b-75ee78787346","permissionIds":["d3a943ac-ea3b-4271-b750-abcd91b01162"]}]}}' Which resulted in error The command failed with an unexpected error. Here is the traceback: not enough values to unpack (expected 2, got 1) – Erwin Wiegman Jan 31 '22 at 12:35
  • Also the graph explorer errors out with: { "error": { "code": "Request_BadRequest", "message": "Unexpected contents in request body.", "innerError": { "date": "2022-01-31T12:38:50", "request-id": "a6ccdf48-75f2-41ad-8e98-0e2fd9109b3b", "client-request-id": "a9ae6a02-b614-d9a8-014b-12a40f1bea63" } } } – Erwin Wiegman Jan 31 '22 at 12:40
  • Please make sure to consent all that show in modify permission – AjayKumarGhose Jan 31 '22 at 12:41
  • Yes i did... but still the same error.. these are the permission taken from my JWT token: AppCatalog.Read.All AppCatalog.ReadWrite.All Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All OnlineMeetings.Read OnlineMeetings.ReadWrite openid profile User.Read email Application.ReadWrite.All – Erwin Wiegman Jan 31 '22 at 12:46
  • It is beginning to feel like a bug. Maybe because of the move from the Azure AD api's to the MS Graph api's – Erwin Wiegman Jan 31 '22 at 12:52
  • No its working fine, Please make sure the permission ID you have provided as same as on manifest (oauth2 permissions sections) – AjayKumarGhose Jan 31 '22 at 13:01
  • Hi Ajay... that was the missing thing for the graph explorer. I will now try in azure cli to see if can make that work as well – Erwin Wiegman Jan 31 '22 at 14:19
  • I tried the az cli command: az rest --method patch --uri "https://graph.microsoft.com/beta/applications/ccd14ce8-1afe-45b3-a461-777d3129399b" --headers '{"Content-Type":"application/json"}' --body '{"api":{"preAuthorizedApplications":[{"appId":"1fec8e78-bce4-4aaf-ab1b-5451cc387264","permissionIds":["d3a943ac-ea3b-4271-b750-abcd91b01162"]}]}}' But this give the error: The command failed with an unexpected error. Here is the traceback: not enough values to unpack (expected 2, got 1) The body is exactly the same as used in the graph explorer – Erwin Wiegman Jan 31 '22 at 14:28
  • Hi Ajay.. i got it working in powershell in my DevOps pipe line. So thanks for your help ! Couldnt do it without you – Erwin Wiegman Jan 31 '22 at 16:00
  • For the completeness, my powershell code: $Body = @" { "api": { "preAuthorizedApplications": [ { "appId": "1fec8e78-bce4-4aaf-ab1b-5451cc387264", "permissionIds": [ "d3a943ac-ea3b-4271-b750-abcd91b01162" ] } ] } } "@ – Erwin Wiegman Jan 31 '22 at 16:01
  • $Uri = 'https://graph.microsoft.com/beta/applications/ccd14ce8-1afe-45b3-a461-777d3129399b' $method = 'PATCH' $Token = (Get-AzAccessToken -ResourceTypeName MSGraph).Token Write-Host $Token $Header = @{ Authorization = "Bearer $Token" } Invoke-WebRequest -Uri $Uri -Method $method -Headers $Header -ContentType 'application/json' -Body $Body – Erwin Wiegman Jan 31 '22 at 16:02
0

This is the code that worked in my Devops pipeline. I gave the service principle the rights and enabled access on to the token.

$Body = @"
{
    "api": {
        "preAuthorizedApplications": [
            {
                "appId": "1fec8e78-bce4-4aaf-ab1b-5451cc387264",
                "permissionIds": [
                    "d3a943ac-ea3b-4271-b750-abcd91b01162"
                ]
            }
        ]
    }
}
"@

$Uri = 'https://graph.microsoft.com/beta/applications/ccd14ce8-1afe-45b3-a461-777d3129399b'
$method = 'PATCH'
$Token = (Get-AzAccessToken -ResourceTypeName MSGraph).Token

$Header = @{
    Authorization = "Bearer $Token"
}
Invoke-WebRequest -Uri $Uri -Method $method -Headers $Header -ContentType 'application/json' -Body $Body
Erwin Wiegman
  • 36
  • 5