DEVHIDE
Login Or Sign up

Powershell - Set-AzureADApplication Application Permission for Public Client

1.1k Views Asked by At

Issue Description:

during trying to use the following command to create Daemon application for PublicClient, it failed. if confgired PublicClient as False, it works.

Issue Repro:

Connect-AzureAD
$svcprincipal = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }

#Microsoft Graph
$reqGraph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$reqGraph.ResourceAppId = $svcprincipal.AppId

##Delegated Permissions
$delPermission1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "0e263e50-5827-48a4-b97c-d940288653c7","Scope" #Access Directory as the signed in user

##Application Permissions
$appPermission1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "62a82d76-70ea-41e2-9197-370581804d09","Role" #Read and Write All Groups
$appPermission2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "19dbc75e-c2e2-444c-a770-ec69d8559fc7","Role" #Read and Write directory data

# when Set PublicClient as False, it worked.
New-AzureADApplication -DisplayName pca-test3 -ReplyUrls https://localhost/ -AvailableToOtherTenants $true -PublicClient $false -RequiredResourceAccess $reqGraph

# when Set PublicClient as True, it failed
New-AzureADApplication -DisplayName pca-test3 -ReplyUrls https://localhost/ -AvailableToOtherTenants $true -PublicClient $true -RequiredResourceAccess $reqGraph`

ErrorMessage:

Code: Request_BadRequest Message: Property requiredResourceAccess.resourceAccess is invalid. Details: PropertyName - requiredResourceAccess.resourceAccess, PropertyErrorCode - GenericError HttpStatusCode: BadRequest HttpStatusDescription: Bad Request HttpResponseStatus: Completed

anyone can provide some suggestions or helps? thanks.

azure-ad-powershell-v2
Original Q&A
1

There are 1 best solutions below

0
On

Since you create Azure AD application as public client, we cannot configure application permissions for the application. Because these applications are not trusted to safely keep application secrets, so they only access Web APIs on behalf of the user. For more details, please refer to the document. So we need to configure Delegated permissions for the application. In other words, the permissions' type should be scope.

For example

Connect-AzureAD

$svcprincipal = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }

$reqGraph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$reqGraph.ResourceAppId = $svcprincipal.AppId
$delPermission1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "0e263e50-5827-48a4-b97c-d940288653c7","Scope" #Sign in and read user profile
$delPermission2 =New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d","Scope" #Access Directory as the signed in user

$reqGraph.ResourceAccess = $delPermission1,$delPermission2

New-AzureADApplication -DisplayName pca-test3 -ReplyUrls https://localhost/ -AvailableToOtherTenants $true -PublicClient $true -RequiredResourceAccess $reqGraph

enter image description here

Related Questions in AZURE-AD-POWERSHELL-V2

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.