I was wondering if someone amongst the Azure gurus could clarify the behaviour of the New-AzureADApplication
. When I create a App Registration in PowerShell, it seems to add a user_impersonation
under Expose and API > Scopes defined by this API
in the GUI. When I create an App Registration in the GUI, I provide a name for it and a Redirect URI if necessary, but this user_impersonation
scope is not created.
I thought that maybe it was something to do with the AzureAD
module and it's specific connection to Azure AD, but the behaviour is the same when using New-AzADApplication
, with the exception that this cmdlet requires -IdentifierUris
to be specified too - which isn't necessary for all the apps we register.
Is there anyway to avoid the OAuth2Permissions
being added when I create the App Registration via PowerShell?
Other things I have tried:
Setting -OAuth2Permissions
as an empty list of the type [System.Collections.Generic.List`1[[Microsoft.Open.AzureAD.Model.OAuth2Permission, Microsoft.Open.AzureAD16.Graph.Client, Version=0.1.599.7, Culture=neutral, PublicKeyToken=null]]
Using Get-AzureADOAuth2PermissionGrant
to try and find the permission and remove it after. It's not there.
If I cannot avoid this at creation or remove it, then please provide information on:
Example:
Connect-AzureAD
$GraphRead = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq '00000003-0000-0000-c000-000000000000'}
$RRA = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$RRA.ResourceAppId = $GraphRead.AppId
$ResAcc = New-Object -TypeName "microsoft.open.azuread.model.resourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "Scope"
$RRA.ResourceAccess = $ResAcc
$Test = New-AzureADApplication -DisplayName "PoshTest" -ReplyUrls "https://visualstudio/spn" -RequiredResourceAccess @($RRA)
Object:
$Test | FL *
DeletionTimestamp :
ObjectId : ************************************
ObjectType : Application
AddIns : {}
AppId : ************************************
AppRoles : {}
AvailableToOtherTenants : False
DisplayName : PoshTest
ErrorUrl :
GroupMembershipClaims :
Homepage :
IdentifierUris : {}
KeyCredentials : {}
KnownClientApplications : {}
LogoutUrl :
Oauth2AllowImplicitFlow : False
Oauth2AllowUrlPathMatching : False
Oauth2Permissions : {class OAuth2Permission {
AdminConsentDescription: Allow the application to access PoshTest on behalf of the
signed-in user.
AdminConsentDisplayName: Access PoshTest
Id: ************************************
IsEnabled: True
Type: User
UserConsentDescription: Allow the application to access PoshTest on your behalf.
UserConsentDisplayName: Access PoshTest
Value: user_impersonation
}
}
Oauth2RequirePostResponse : False
PasswordCredentials : {}
PublicClient :
RecordConsentConditions :
ReplyUrls : {https://visualstudio/spn}
RequiredResourceAccess : {class RequiredResourceAccess {
ResourceAppId: 00000003-0000-0000-c000-000000000000
ResourceAccess:
System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.ResourceAccess]
}
}
SamlMetadataUrl :
PowerShell Details
$PSVersionTable | select PSVersion,PSEdition,OS,Platform | FL *
PSVersion : 7.0.2
PSEdition : Core
OS : Darwin 18.7.0 Darwin Kernel Version 18.7.0: Mon Apr 27 20:09:39 PDT 2020;
root:xnu-4903.278.35~1/RELEASE_X86_64
Platform : Unix
Get-Module -Name AzureAD.Standard.Preview
ModuleType Version PreRelease Name
---------- ------- ---------- ----
Script 0.1.599.7 AzureAD.Standard.Preview
Difference In GUI
I have managed to work this out so wanted to leave an appropriate breakdown of the answer for others who may also be trying to remove this permission from their App Registration.
I was on the right path with an empty [Microsoft.Open.AzureAD.Model.OAuth2Permission]
list as I had explored above.
If you apply this via New-AzureADApplication
when creating your app, it will have absolutely no effect.
If you apply this directly via Set-AzureADApplication
after creating your new App Registration you will get an error like this:
Set-AzureADApplication: Error occurred while executing SetApplication
Code: Request_BadRequest
Message: Property value cannot be deleted or updated unless it is disabled first.
RequestId: ********-****-****-*****************
DateTimeStamp: Thu, 02 Jul 2020 10:11:54 GMT
Details: PropertyName - None, PropertyErrorCode - CannotDeleteEnabledEntitlement
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
So the solution is to first create a new list, add the old scope to it while setting the value IsEnabled
to $false
.
# New Azure AD Application
Connect-AzureAD
$GraphRead = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq '00000003-0000-0000-c000-000000000000'}
$RRA = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$RRA.ResourceAppId = $GraphRead.AppId
$ResAcc = New-Object -TypeName "microsoft.open.azuread.model.resourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "Scope"
$RRA.ResourceAccess = $ResAcc
$Test = New-AzureADApplication -DisplayName "PoshTest" -ReplyUrls "https://visualstudio/spn" -RequiredResourceAccess @($RRA)
# Disable the App Registration scope.
$Scopes = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.OAuth2Permission]
$Scope = $Test.Oauth2Permissions | Where-Object { $_.Value -eq "user_impersonation" }
$Scope.IsEnabled = $false
$Scopes.Add($Scope)
Set-AzureADApplication -ObjectId $Test.ObjectID -Oauth2Permissions $Scopes
You can finally remove the OAuth2Permssion
completely by then applying an empty list to it.
$EmptyScopes = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.OAuth2Permission]
Set-AzureADApplication -ObjectId $Test.ObjectID -Oauth2Permissions $EmptyScopes
Use Get-AzureADApplication
to obtain the up-to-date information for the object and you should see that the OAuth2Permissions
list is now empty.
$Test = Get-AzureADApplication -ObjectId $Test.ObjectID
$Test | FL *
DeletionTimestamp :
ObjectId : ********-****-****-*****************
ObjectType : Application
AddIns : {}
AppId : ********-****-****-*****************
AppRoles : {}
AvailableToOtherTenants : False
DisplayName : PoshTest
ErrorUrl :
GroupMembershipClaims :
Homepage :
IdentifierUris : {}
KeyCredentials : {}
KnownClientApplications : {}
LogoutUrl :
Oauth2AllowImplicitFlow : False
Oauth2AllowUrlPathMatching : False
Oauth2Permissions : {}
Oauth2RequirePostResponse : False
PasswordCredentials : {}
PublicClient :
RecordConsentConditions :
ReplyUrls : {https://visualstudio/spn}
RequiredResourceAccess : {class RequiredResourceAccess {
ResourceAppId: 00000003-0000-0000-c000-000000000000
ResourceAccess:
System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.ResourceAccess]
}
}
SamlMetadataUrl :
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments