Azure AD - how to set app manifest properties programatically (accessTokenAcceptedVersion to v2 and signInAudience)?

Question

Is there a way to programatically via API to set the manifest property "accessTokenAcceptedVersion" to 2? This is required due to issue explained here - our code is expecting the new STS, fails with:

WWW-Authenticate: Bearer error="invalid_token", error_description="The audience is invalid"

due to being old sts: "iss": "https://sts.windows.net/.../". Similarly looking to set the "signInAudience" property as well so that we can have our apps show up in B2C:

{
...
"accessTokenAcceptedVersion": 2,    
...
"signInAudience": "AzureADandPersonalMicrosoftAccount",    
...
}

Not seeing anything in powershell, cli or api(see also)

If i capture the portal network traffic i can see the PATCH to graph.windows.net/myorganization/aplicaitons/{GUID}?api-version=2.0 where it sets the JSON properties:

"accessTokenAcceptedVersion":2,

and

"signInAudience":"AzureADandPersonalMicrosoftAccount",

But it also sets some another property - and appears to be not documented way of doing things?

"[email protected]":"application/json;odata=minimalmetadata"

and the signinaudience change sets:

"supportsConvergence":true,

Answer 1

check out the beta Graph APIs:

• Application Object
• API property of application object
• SignInAudience is direct property of the application object
• Update Application

Please note that this is still only available under the beta API of the Microsoft Graph.

Answer 2

By using the below code snippet, able to set both accessTokenAcceptedVersion & signInAudience as desired.

ApiApplication api = new ApiApplication();
api.requestedAccessTokenVersion = 2;

Application application = new Application();
application.displayName = oAuthClientVO.getClientName();
application.signInAudience = "AzureADandPersonalMicrosoftAccount";
application.api = api;

For this, used the below libraries.

<dependency>
    <groupId>com.microsoft.graph</groupId>
    <artifactId>microsoft-graph</artifactId>
    <version>[5.4.0,)</version>
</dependency>
<dependency>
    <groupId>com.azure</groupId>
    <artifactId>azure-identity</artifactId>
    <version>[1.3.6,)</version>
</dependency>

Answer 3

If you want to accomplish setting the "accessTokenAcceptedVersion" = 2 you can try something like this

$uri = "https://graph.microsoft.com/v1.0/applications/<app objectId>"
az rest --method PATCH --uri '$uri' --headers 'Content-Type=application/json' --body '{\""api\"":{\""requestedAccessTokenVersion\"":2}}'

This would work.

Nb: if you are facing some error like this

ERROR: Please run 'az login' to setup account.

you can try with login using this code.

 az login --service-principal --username ${your_client_id} --password ${your_client_secret} --tenant ${your_app_tenant_id}

Hope this helps someone in future.

Happy Coding :)