How can I create a new Azure App Registration without the user_impersonation OAuth2Permission?

2
votes

I was wondering if someone amongst the Azure gurus could clarify the behaviour of the New-AzureADApplication. When I create a App Registration in PowerShell, it seems to add a user_impersonation under Expose and API > Scopes defined by this API in the GUI. When I create an App Registration in the GUI, I provide a name for it and a Redirect URI if necessary, but this user_impersonation scope is not created.

I thought that maybe it was something to do with the AzureAD module and it's specific connection to Azure AD, but the behaviour is the same when using New-AzADApplication, with the exception that this cmdlet requires -IdentifierUris to be specified too - which isn't necessary for all the apps we register.

Is there anyway to avoid the OAuth2Permissions being added when I create the App Registration via PowerShell?

Other things I have tried:

  • Setting -OAuth2Permissions as an empty list of the type [System.Collections.Generic.List`1[[Microsoft.Open.AzureAD.Model.OAuth2Permission, Microsoft.Open.AzureAD16.Graph.Client, Version=0.1.599.7, Culture=neutral, PublicKeyToken=null]]

  • Using Get-AzureADOAuth2PermissionGrant to try and find the permission and remove it after. It's not there.

If I cannot avoid this at creation or remove it, then please provide information on:

  • Why this permission is necessary as default.
  • Why the GUI doesn't deem it to be necessary.

Example:

Connect-AzureAD
$GraphRead = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq '00000003-0000-0000-c000-000000000000'}
$RRA = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$RRA.ResourceAppId = $GraphRead.AppId
$ResAcc = New-Object -TypeName "microsoft.open.azuread.model.resourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "Scope"
$RRA.ResourceAccess = $ResAcc
$Test = New-AzureADApplication -DisplayName "PoshTest" -ReplyUrls "https://visualstudio/spn" -RequiredResourceAccess @($RRA)

Object:

$Test | FL *

DeletionTimestamp          : 
ObjectId                   : ************************************
ObjectType                 : Application
AddIns                     : {}
AppId                      : ************************************
AppRoles                   : {}
AvailableToOtherTenants    : False
DisplayName                : PoshTest
ErrorUrl                   : 
GroupMembershipClaims      : 
Homepage                   : 
IdentifierUris             : {}
KeyCredentials             : {}
KnownClientApplications    : {}
LogoutUrl                  : 
Oauth2AllowImplicitFlow    : False
Oauth2AllowUrlPathMatching : False
Oauth2Permissions          : {class OAuth2Permission {
                               AdminConsentDescription: Allow the application to access PoshTest on behalf of the 
                             signed-in user.
                               AdminConsentDisplayName: Access PoshTest
                               Id: ************************************
                               IsEnabled: True
                               Type: User
                               UserConsentDescription: Allow the application to access PoshTest on your behalf.
                               UserConsentDisplayName: Access PoshTest
                               Value: user_impersonation
                             }
                             }
Oauth2RequirePostResponse  : False
PasswordCredentials        : {}
PublicClient               : 
RecordConsentConditions    : 
ReplyUrls                  : {https://visualstudio/spn}
RequiredResourceAccess     : {class RequiredResourceAccess {
                               ResourceAppId: 00000003-0000-0000-c000-000000000000
                               ResourceAccess: 
                             System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.ResourceAccess]
                             }
                             }
SamlMetadataUrl            :

PowerShell Details

$PSVersionTable | select PSVersion,PSEdition,OS,Platform | FL *

PSVersion : 7.0.2
PSEdition : Core
OS        : Darwin 18.7.0 Darwin Kernel Version 18.7.0: Mon Apr 27 20:09:39 PDT 2020; 
            root:xnu-4903.278.35~1/RELEASE_X86_64
Platform  : Unix

Get-Module -Name AzureAD.Standard.Preview

ModuleType Version    PreRelease Name
---------- -------    ---------- ----
Script     0.1.599.7             AzureAD.Standard.Preview

Difference In GUI

GUITest PoshTest

3
azurepowershellazure-active-directory

3 Answers

3
votes

I have managed to work this out so wanted to leave an appropriate breakdown of the answer for others who may also be trying to remove this permission from their App Registration.

I was on the right path with an empty [Microsoft.Open.AzureAD.Model.OAuth2Permission] list as I had explored above.

If you apply this via New-AzureADApplication when creating your app, it will have absolutely no effect.

If you apply this directly via Set-AzureADApplication after creating your new App Registration you will get an error like this:

Set-AzureADApplication: Error occurred while executing SetApplication 
Code: Request_BadRequest
Message: Property  value cannot be deleted or updated unless it is disabled first.
RequestId: ********-****-****-*****************
DateTimeStamp: Thu, 02 Jul 2020 10:11:54 GMT
Details: PropertyName  - None, PropertyErrorCode  - CannotDeleteEnabledEntitlement
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed

So the solution is to first create a new list, add the old scope to it while setting the value IsEnabled to $false.

# New Azure AD Application
Connect-AzureAD
$GraphRead = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq '00000003-0000-0000-c000-000000000000'}
$RRA = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$RRA.ResourceAppId = $GraphRead.AppId
$ResAcc = New-Object -TypeName "microsoft.open.azuread.model.resourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "Scope"
$RRA.ResourceAccess = $ResAcc
$Test = New-AzureADApplication -DisplayName "PoshTest" -ReplyUrls "https://visualstudio/spn" -RequiredResourceAccess @($RRA)

# Disable the App Registration scope.
$Scopes = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.OAuth2Permission]
$Scope = $Test.Oauth2Permissions | Where-Object { $_.Value -eq "user_impersonation" }
$Scope.IsEnabled = $false
$Scopes.Add($Scope)
Set-AzureADApplication -ObjectId $Test.ObjectID -Oauth2Permissions $Scopes

You can finally remove the OAuth2Permssion completely by then applying an empty list to it.

$EmptyScopes = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.OAuth2Permission]
Set-AzureADApplication -ObjectId $Test.ObjectID -Oauth2Permissions $EmptyScopes

Use Get-AzureADApplication to obtain the up-to-date information for the object and you should see that the OAuth2Permissions list is now empty.

$Test = Get-AzureADApplication -ObjectId $Test.ObjectID
$Test | FL *

DeletionTimestamp          : 
ObjectId                   : ********-****-****-*****************
ObjectType                 : Application
AddIns                     : {}
AppId                      : ********-****-****-*****************
AppRoles                   : {}
AvailableToOtherTenants    : False
DisplayName                : PoshTest
ErrorUrl                   : 
GroupMembershipClaims      : 
Homepage                   : 
IdentifierUris             : {}
KeyCredentials             : {}
KnownClientApplications    : {}
LogoutUrl                  : 
Oauth2AllowImplicitFlow    : False
Oauth2AllowUrlPathMatching : False
Oauth2Permissions          : {}
Oauth2RequirePostResponse  : False
PasswordCredentials        : {}
PublicClient               : 
RecordConsentConditions    : 
ReplyUrls                  : {https://visualstudio/spn}
RequiredResourceAccess     : {class RequiredResourceAccess {
                               ResourceAppId: 00000003-0000-0000-c000-000000000000
                               ResourceAccess: 
                             System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.ResourceAccess]
                             }
                             }
SamlMetadataUrl            :
1
votes

I know this question is over a year old but i ran into the same problem and found a solution that doesn't require removing the user_impersonation after creating the App Registration.

I used the ADMS versions of the PowerShell AzureAD API and found i can get the results i want without unexpected extras:

Use the following to specify the API Permissions:

$Resources = New-Object -TypeName "Microsoft.Open.MSGraph.Model.RequiredResourceAccess"
$Resources.ResourceAppId = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
$Resource1 = New-Object -TypeName "Microsoft.Open.MSGraph.Model.ResourceAccess" -ArgumentList "7427e0e9-2fba-42fe-b0c0-848c9e6a8182","Scope"
$Resource2 = New-Object -TypeName "Microsoft.Open.MSGraph.Model.ResourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d","Scope"
$Resources.ResourceAccess = $Resource1, $Resource2

The the following to create the App Registration:

$NewApp = New-AzureADMSApplication `
            -DisplayName $Name `
            -SignInAudience AzureADMultipleOrgs `
            -RequiredResourceAccess $Resources
0
votes

You are right, the permissions is no longer needed by default, but is still present in the PowerShell commands due to legacy reasons.

Please see the code in Configure.ps1 , which locates this extra scope and renames it. You can change it to delete the scope altogether.