I'm trying to author some code to manage Azure Application Proxies (specifically the SSL certificates), based on this https://learn.microsoft.com/en-us/azure/active-directory/app-proxy/scripts/powershell-get-all-app-proxy-apps-extended
When running locally, the code works. When running in the context of the azure automation account, I receive the following:
Error: Exception System.NullReferenceException: Object reference not set to an instance of an object. at Microsoft.Open.MSGraphV10.PowerShell.GetApplicationProxyApplication.ProcessRecord() in X:\bt\1218881\repo\src\dev\PowerShell.V2\MSGraphV10.PowerShell\MSGraphV10.PowerShell.AutoGen\Api\ApplicationProxyApi.cs:line 103
When calling
$app = Get-AzureADApplicationProxyApplication -ObjectId $item.ObjectId -ErrorAction SilentlyContinue
Full example:
# Before you begin:
# Run Connect-AzureAD to connect to the tenant domain.
# Required Azure AD role: Global Administrator or Application Administrator or Application Developer
Disable-AzContextAutosave -Scope Process
$AzureContext = (Connect-AzAccount -Identity).context
$context = Set-AzContext -Tenant $tenantId -DefaultProfile $AzureContext
$aadToken = Get-AzAccessToken -ResourceTypeName AadGraph
Connect-AzureAD -TenantId $context.tenant.id -AadAccessToken $aadToken.Token -AccountId $context.Account.Id
$allApps = Get-AzureADApplication -all $true
$aadapServPrinc = Get-AzureADServicePrincipal -Top 100000 | where-object {$_.Tags -Contains "WindowsAzureActiveDirectoryOnPremApp"}
$aadapApp = $aadapServPrinc | ForEach-Object { $allApps -match $_.AppId}
foreach ($item in $aadapApp) {
$app = Get-AzureADApplicationProxyApplication -ObjectId $item.ObjectId -ErrorAction SilentlyContinue
}
As part of the debugging, I have assigned the Managed Identity Application Developer, Application Administrator and Global Administrator, however, it still fails.
Can anyone assist?
Ultimately, I am looking to query the $app.VerifiedCustomDomainCertificatesMetadata to determine the expiry dates of the certificates. If anyone knows of a different way, I am open to input.
[Edit] If I get the access token for the automation account, I can reproduce the error locally.
So it's something to do with the identity not playing well, even when it has the relevant perms (tested as global admin role assigned)
OK, as per https://github.com/Azure/azure-docs-powershell-azuread/issues/200
The newer cmdlets users GraphAPI under the hood, so I needed to provide the additional
-MsAccessTokenparamThere's the requirement of needing to assign the Application.ReadWrite.All GraphAPI permission to the Managed Identity, which can only be done via Powershell