Insufficient privileges to complete the operation - PowerShell Creating Azure Ad Apps fails

0
votes

I have an Azure DevOps CI/CD wherein I have a PowerShell script to create a new Azure Ad App. Although the Service Principle has permissions granted against the following Graph APIs, yet, it fails with the following exception.

2020-12-14T11:49:55.0146669Z ##[error]Error occurred while executing GetApplications Code: Authorization_RequestDenied Message: Insufficient privileges to complete the operation. RequestId: 1130fbec-3eec-4c8e-a2dd-e134f2c4621f DateTimeStamp: Mon, 14 Dec 2020 11:49:54 GMT HttpStatusCode: Forbidden HttpStatusDescription: Forbidden HttpResponseStatus: Completed

The API permissions that I have for the Service Principle are: enter image description here

I use the following script to connect to Azure AD from the pipeline and create the Azure Ad App using PowerShell

Install-Module AzureAD -Force -Verbose -Scope CurrentUser
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken

Connect-AzureAD -MsAccessToken $graphToken -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id

$ApiAppGuid = New-Guid
$ApiAppStartDate = Get-Date
$vvApiAppName = "dev0-vv-api"
# >>>>>> it must be failing here when trying to get the applications...
$appExists = ($vvApiApp = Get-AzureADApplication -Filter "DisplayName eq '$($vvApiAppName)'"  -ErrorAction SilentlyContinue)
#... rest of the code that call New-AzureADApplication

Also, when I put the $graphTokenin jwt.io, it correctly shows the API permissions I've assigned to the Service Principle from Azure Portal.

enter image description here

I have no idea why it keeps failing despite the permissions consents granted! Any ideas highly appreciated - this is now almost taking a day.

1
powershellazure-devopsazure-active-directorymicrosoft-graph-api
Could you try Get-AzureADMSApplication instead? It's a bit dumb but there is a chance the cmdlet is using AAD Graph API and those app permissions don't work there :\juunas
that easily fixed the problem. very much appreciated - massive help! does that also mean I can remove all the api permissions from the application now? as it seems it's not picking them up?Ali
I think Application.ReadWrite.OwnedBy would be enough from the permissions you listed. Or do you mean something else?juunas
nope - that's actually what I meant. I'll try that with only Application.ReadWrite.OwnedBy to see if it still works fineAli
@Ali Note that AppRoleAssignment.ReadWrite.All is an very privileged permission. Consider using a custom role which includes the permission to grant permissions subject to an app consent policy, and use a custom consent policy which only includes the permissions you really need your CI/CD pipeline to be able to grant.Philippe Signoret

1 Answers

2
votes

As I suspected, Get-AzureADApplication uses Azure AD Graph API, and it is likely the given MS Graph API application permissions do not work there. Some permissions do work in AAD Graph as well, but if it is a permission that was created later, it won't be supported.

So the solution is to use Get-AzureADMSApplication instead, which uses the MS Graph API. Most scripts should be switched to use these any way since AAD Graph API is being deprecated.