Cannot set “preAuthorizedApplications” object in new App registrations module through Azure Powershell

Question

Short Scenrario: A muti tenant front end javascript (React.JS) Web Application calls a multi tenant ASP.NET Core 2.2 WebAPI from the browser.

Au

Answer 1

I got this error too using client_credentials type to get access_token to call that API even though I granted all Microsoft Graph API and AAD API application related permissions. It is really weird. However , using password flow to get access token under Azure AD admin account will be able to call this API successfully :

Update

You could get your client id and client secret by below steps

1. Go to azure portal on azure active directory menu see the screen hot below:

2. Once you select azure active directory you would see App registrations click on that. Then select your application. See the below picture

3. On your apllication you would see the client id, tenant id and client secret which marked on the screen shot below:

If you still have any concern please feel free to share. Thank you and happy coding!

Answer 2

You are right, seems there is something faultiness exists in AzureAD powershell module. That not works for me too .

If you want to modify your app manifest using powershell to add "preAuthorizedApplications" section, you can try the powershell script below.

I have tested on my side and it works for me.

In theory, I have called Microsoft Graph API to modify the app manifest . If you have any further concerns, please feel free to let me know.

$AdAdminUserName = "<-your Azure ad admin username ->"

$AdAdminPass="<-your Azure ad admin password ->"

$AdAppObjId = "<-your app obj id->"

$AdPreAuthAppId = "<-the app that need to be pre authed ->"

$AdAppScopeId = "<-your app scope id->"

$tenantName = "<-your tenant name->"


$body=@{
    "grant_type"="password";
    "resource"="https://graph.microsoft.com/";
    "client_id"="1950a258-227b-4e31-a9cf-717495945fc2";
    "username"=$AdAdminUserName;
    "password" = $AdAdminPass
}

$requrl = "https://login.microsoftonline.com/"+$tenantName+"/oauth2/token" 

$result=Invoke-RestMethod -Uri $requrl -Method POST -Body $body 

$headers = New-Object 'System.Collections.Generic.Dictionary[String,String]'
$headers.Add("Content-Type","application/json")
$headers.Add("Authorization","Bearer " + $result.access_token)


$preAuthBody = "{`"api`": {`"preAuthorizedApplications`": [{`"appId`": `"" + $AdPreAuthAppId + "`",`"permissionIds`": [`"" + $AdAppScopeId + "`"]}]}}"

$requrl= "https://graph.microsoft.com/beta/applications/"+$AdAppObjId

Invoke-RestMethod -Uri $requrl -Method PATCH -Body  $preAuthBody  -Headers $headers

Note: ROPC is not safe as Microsoft does not recommend to use that. It also does not allow to use MFA that is why it is little dangerous.

Answer 3

to resolve token issue I did like this(if you have az subscription owner, in this case you can get token which allows to update aad owned application properties without aad admin login and password). After az login by subscription owner:

$msGraphAccess = az account get-access-token --resource "https://graph.microsoft.com | 
ConvertFrom-Json
$accessToken = $msGraphAccess.accessToken

$headers = New-Object 'System.Collections.Generic.Dictionary[String,String]'
$headers.Add("Content-Type", "application/json")
$headers.Add("Authorization", "Bearer " + $accessToken)

Answer 4

If you want to avoid calling directly the graph API (maybe you are in an azure pipeline using a Service Connection and don't have access to the credentials) you can do this :

$AppName = << WebApp >>
$preAuthorizedApplicationsAppId = <<GUID>>

# Get the application and delegated permission to pre-authorize
$appRegistration = Get-AzureADMSApplication -Filter "displayName eq '$AppName'"
$oauth2Permission = $appRegistration.Api.OAuth2PermissionScopes | Where-Object {$_.Value -eq $AppName -and $_.Type -eq 'Admin'}

# Build a PreAuthorizedApplication object
$preAuthorizedApplication = New-Object 'Microsoft.Open.MSGraph.Model.PreAuthorizedApplication'
$preAuthorizedApplication.AppId = $preAuthorizedApplicationsAppId
$preAuthorizedApplication.DelegatedPermissionIds = @($oauth2Permission.Id)

$appRegistration.Api.PreAuthorizedApplications = New-Object 'System.Collections.Generic.List[Microsoft.Open.MSGraph.Model.PreAuthorizedApplication]'
$appRegistration.Api.PreAuthorizedApplications.Add($preAuthorizedApplication)

# Update the Application object
Set-AzureADMSApplication -ObjectId $appRegistration.Id -Api $appRegistration.Api

This answer comes from this GitHub issue.

Answer 5

Some additions to another reply.

Actually, in AzureADPreview powershell module, there is a parameter -PreAuthorizedApplications for Set-AzureADApplication. But neither the cmdlet help nor the documentation page has been updated to detail all these, it was also mentioned here.

I am not sure the parameter will work or not, per my test, I always get a bad request error. Even if I call the Azure AD Graph API, I get the same error. The command Set-AzureADApplication essentially calls the Azure AD Graph API, so if the parameter works, it will also work for the API. Also, in the AAD Graph doc, there is no such property. According to the test result, the parameter seems not to work currently. (not sure, if there is something wrong, please correct me)