0

I'm trying to author some code to manage Azure Application Proxies (specifically the SSL certificates), based on this https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-extended

When running locally, the code works. When running in the context of the azure automation account, I receive the following:

Error: Exception System.NullReferenceException: Object reference not set to an instance of an object. at Microsoft.Open.MSGraphV10.PowerShell.GetApplicationProxyApplication.ProcessRecord() in X:\bt\1218881\repo\src\dev\PowerShell.V2\MSGraphV10.PowerShell\MSGraphV10.PowerShell.AutoGen\Api\ApplicationProxyApi.cs:line 103

When calling

$app = Get-AzureADApplicationProxyApplication -ObjectId $item.ObjectId -ErrorAction SilentlyContinue

Full example:

# Before you begin:
#    Run Connect-AzureAD to connect to the tenant domain.
#    Required Azure AD role: Global Administrator or Application Administrator or Application Developer

Disable-AzContextAutosave -Scope Process
$AzureContext = (Connect-AzAccount -Identity).context
$context = Set-AzContext -Tenant $tenantId  -DefaultProfile $AzureContext
$aadToken = Get-AzAccessToken -ResourceTypeName AadGraph
Connect-AzureAD  -TenantId $context.tenant.id -AadAccessToken $aadToken.Token -AccountId $context.Account.Id

$allApps = Get-AzureADApplication  -all $true
$aadapServPrinc = Get-AzureADServicePrincipal -Top 100000 | where-object {$_.Tags -Contains "WindowsAzureActiveDirectoryOnPremApp"}  
$aadapApp = $aadapServPrinc | ForEach-Object { $allApps -match $_.AppId} 

foreach ($item in $aadapApp) { 

            $app = Get-AzureADApplicationProxyApplication -ObjectId $item.ObjectId -ErrorAction SilentlyContinue
}

As part of the debugging, I have assigned the Managed Identity Application Developer, Application Administrator and Global Administrator, however, it still fails.

Can anyone assist?

Ultimately, I am looking to query the $app.VerifiedCustomDomainCertificatesMetadata to determine the expiry dates of the certificates. If anyone knows of a different way, I am open to input.

[Edit] If I get the access token for the automation account, I can reproduce the error locally.

So it's something to do with the identity not playing well, even when it has the relevant perms (tested as global admin role assigned)

Jack
  • 425
  • 4
  • 12

1 Answers1

0

OK, as per https://github.com/Azure/azure-docs-powershell-azuread/issues/200

The newer cmdlets users GraphAPI under the hood, so I needed to provide the additional -MsAccessToken param

$MsToken = Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com/"


Connect-AzureAD  -TenantId $context.tenant.id -MsAccessToken $MsToken.Token  -AadAccessToken $aadToken.Token -AccountId $context.Account.Id

There's the requirement of needing to assign the Application.ReadWrite.All GraphAPI permission to the Managed Identity, which can only be done via Powershell

Jack
  • 425
  • 4
  • 12