I am trying to automate the creation of an app registration add permissions to it and then grant admin consent. I am trying to login using service principle and service principle is having privileged role administrator AD role.
param(
[string] [Parameter(Mandatory = $true)] $tenantId,
[string] [Parameter(Mandatory = $true)] $appName,
[array] [Parameter(Mandatory = $true)] $replyUrls,
[string] [Parameter(Mandatory = $true)] $samlMetadataUrl,
[string] [Parameter(Mandatory = $true)] $clientId,
[string] [Parameter(Mandatory = $true)] $clientSecret,
[string] [Parameter(Mandatory = $true)] $identifiersurl
)
# Login to Azure CLI using a service principal
Write-Output "Logging in to Azure CLI using service principal..."
$azLoginResult = az login --service-principal --username $clientId --password="$clientSecret" --tenant $tenantId --allow-no-subscriptions
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to log in to Azure CLI. Error: $azLoginResult"
exit 1
}
Write-Host "Successfully logged in to Azure CLI."
# Check if the application already exists
Write-Host "Checking if the application already exists..."
$appId = az ad app list --display-name $appName --query "[0].appId" -o tsv
if (-not $appId) {
Write-Host "Application does not exist. Creating a new application..."
try {
$appId = az ad app create --display-name $appName --sign-in-audience AzureADMyOrg --is-fallback-public-client true --web-redirect-uris $replyUrls --identifier-uris $identifiersurl --required-resource-accesses "C:\my_workspace\Repo\ODP\usmsb2cnp.Json" --query "appId" -o tsv 2>&1
} catch {
Handle-Error "Failed to create Azure AD application."
}
} else {
Write-Host "Application already exists. Skipping creation."
}
# Check if the service principal exists
Write-Host "Checking if the service principal exists..."
$spId = az ad sp list --filter "displayName eq '$appName'" --query "[0].id" -o tsv
if (-not $spId) {
Write-Host "Service principal does not exist. Creating a new service principal..."
try {
az ad sp create --id $appId | Out-Null
$spId = az ad sp list --filter "displayName eq '$appName'" --query "[0].id" -o tsv
} catch {
Handle-Error "Failed to create service principal."
}
} else {
Write-Host "Service principal already exists. Skipping creation."
}
# add saml meta url
az ad app update --id $appId --set samlMetadataUrl=$samlMetadataUrl --set tags="['WindowsAzureActiveDirectoryIntegratedApp']"
sleep 10
# Grant admin consent
Write-Output "Granting admin consent for API permissions..."
az ad app permission admin-consent --id $appId
some grant admin consent always throwing below error.
az : ERROR: Unauthorized({"ClassName":"System.Security.Authentication.AuthenticationException","Message":"S2S17000: SAL was unable to validate the protocol.
Validation failure: 'ValidationCompleted; UnsupportedAuthenticationScheme; UnsupportedAuthenticationScheme; UnsupportedAuthenticationScheme'","Data":null,"Inner
Exception":null,"HelpURL":null,"StackTraceString":null,"RemoteStackTraceString":null,"RemoteStackIndex":0,"ExceptionMethod":null,"HResult":-2146233087,"Source":
null,"WatsonBuckets":null})
At line:1 char:1
+ az ad app permission admin-consent --id $APP_ID
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (ERROR: Unauthor...Buckets":null}):String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
It shows as unauthorized but I have given required access and this is for b2c tenant.
Thanks Krupa G
I am trying to automate the creation of an app registration add permissions to it and then grant admin consent. I am trying to login using service principle and service principle is having privileged role administrator AD role.
param(
[string] [Parameter(Mandatory = $true)] $tenantId,
[string] [Parameter(Mandatory = $true)] $appName,
[array] [Parameter(Mandatory = $true)] $replyUrls,
[string] [Parameter(Mandatory = $true)] $samlMetadataUrl,
[string] [Parameter(Mandatory = $true)] $clientId,
[string] [Parameter(Mandatory = $true)] $clientSecret,
[string] [Parameter(Mandatory = $true)] $identifiersurl
)
# Login to Azure CLI using a service principal
Write-Output "Logging in to Azure CLI using service principal..."
$azLoginResult = az login --service-principal --username $clientId --password="$clientSecret" --tenant $tenantId --allow-no-subscriptions
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to log in to Azure CLI. Error: $azLoginResult"
exit 1
}
Write-Host "Successfully logged in to Azure CLI."
# Check if the application already exists
Write-Host "Checking if the application already exists..."
$appId = az ad app list --display-name $appName --query "[0].appId" -o tsv
if (-not $appId) {
Write-Host "Application does not exist. Creating a new application..."
try {
$appId = az ad app create --display-name $appName --sign-in-audience AzureADMyOrg --is-fallback-public-client true --web-redirect-uris $replyUrls --identifier-uris $identifiersurl --required-resource-accesses "C:\my_workspace\Repo\ODP\usmsb2cnp.Json" --query "appId" -o tsv 2>&1
} catch {
Handle-Error "Failed to create Azure AD application."
}
} else {
Write-Host "Application already exists. Skipping creation."
}
# Check if the service principal exists
Write-Host "Checking if the service principal exists..."
$spId = az ad sp list --filter "displayName eq '$appName'" --query "[0].id" -o tsv
if (-not $spId) {
Write-Host "Service principal does not exist. Creating a new service principal..."
try {
az ad sp create --id $appId | Out-Null
$spId = az ad sp list --filter "displayName eq '$appName'" --query "[0].id" -o tsv
} catch {
Handle-Error "Failed to create service principal."
}
} else {
Write-Host "Service principal already exists. Skipping creation."
}
# add saml meta url
az ad app update --id $appId --set samlMetadataUrl=$samlMetadataUrl --set tags="['WindowsAzureActiveDirectoryIntegratedApp']"
sleep 10
# Grant admin consent
Write-Output "Granting admin consent for API permissions..."
az ad app permission admin-consent --id $appId
some grant admin consent always throwing below error.
az : ERROR: Unauthorized({"ClassName":"System.Security.Authentication.AuthenticationException","Message":"S2S17000: SAL was unable to validate the protocol.
Validation failure: 'ValidationCompleted; UnsupportedAuthenticationScheme; UnsupportedAuthenticationScheme; UnsupportedAuthenticationScheme'","Data":null,"Inner
Exception":null,"HelpURL":null,"StackTraceString":null,"RemoteStackTraceString":null,"RemoteStackIndex":0,"ExceptionMethod":null,"HResult":-2146233087,"Source":
null,"WatsonBuckets":null})
At line:1 char:1
+ az ad app permission admin-consent --id $APP_ID
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (ERROR: Unauthor...Buckets":null}):String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
It shows as unauthorized but I have given required access and this is for b2c tenant.
Thanks Krupa G
Share Improve this question asked Mar 27 at 19:02 GUNDRAJU KRUPA VANIGUNDRAJU KRUPA VANI 71 bronze badge 1- What permissions does your app require? Some of them require either Cloud App Admin or App Admin role. – juunas Commented Mar 27 at 19:54
1 Answer
Reset to default 0I got the same error, I assigned privileged role administrator role to the Service principal:
Note : When using a Service Principal to log in to Azure and attempting to grant admin consent, it is not possible to do so, even if the Service Principal is assigned roles such as Global Administrator, Application Administrator, Privileged Role Administrator, or Cloud App Administrator.
- Hence you are facing the error either login with User account perform
az loginwith required role to grant admin consent. - Or grant admin consent manually.
- Alternatively, you can also call Microsoft Graph query to grant admin consent. You can do so by using a Service Principal to log in to Azure and generating access token for Microsoft Graph API. Refer this SO Thread by me.
I am able to create the App Registration, add API permissions without granting admin consent like below:
$tenantId = "TenantID"
$appName = "RukCLIAppTest"
$replyUrls = @("https://yourReplyUrl1", "https://yourReplyUrl2")
$samlMetadataUrl = ""
$clientId = "ClientID"
$clientSecret = "Secret"
Write-Output "Logging in to Azure CLI using service principal..."
$azLoginResult = az login --service-principal --username $clientId --password="$clientSecret" --tenant $tenantId --allow-no-subscriptions
if ($LASTEXITCODE -ne 0) {
Write-Error "Failed to log in to Azure CLI. Error: $azLoginResult"
exit 1
}
Write-Host "Successfully logged in to Azure CLI."
Write-Host "Checking if the application already exists..."
$appId = az ad app list --display-name $appName --query "[0].appId" -o tsv
if (-not $appId) {
Write-Host "Application does not exist. Creating a new application..."
try {
$requiredResourceAccess = '[{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [{
"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
"type": "Scope"
}]
}]'
$appId = az ad app create --display-name $appName --sign-in-audience AzureADMyOrg --is-fallback-public-client true --web-redirect-uris $replyUrls --required-resource-accesses $requiredResourceAccess --query "appId" -o tsv
} catch {
Write-Error "Failed to create Azure AD application."
exit 1
}
} else {
Write-Host "Application already exists. Skipping creation."
}
Write-Host "Checking if the service principal exists..."
$spId = az ad sp list --filter "displayName eq '$appName'" --query "[0].id" -o tsv
if (-not $spId) {
Write-Host "Service principal does not exist. Creating a new service principal..."
try {
az ad sp create --id $appId | Out-Null
$spId = az ad sp list --filter "displayName eq '$appName'" --query "[0].id" -o tsv
} catch {
Write-Error "Failed to create service principal."
exit 1
}
} else {
Write-Host "Service principal already exists. Skipping creation."
}
if ($samlMetadataUrl) {
az ad app update --id $appId --set samlMetadataUrl=$samlMetadataUrl --set tags="['WindowsAzureActiveDirectoryIntegratedApp']"
}
Reference:
How can I reliably automate granting admin consent for an Azure Databricks SCIM app using Terraform and Azure CLI without manual intervention? - Microsoft Q&A by Sanoop M