How can I create a new Azure App Registration without the user_impersonation OAuth2Permission?

ash Published at Dev

Ash

I was wondering if someone amongst the Azure gurus could clarify the behaviour of the New-AzureADApplication. When I create a App Registration in PowerShell, it seems to add a user_impersonation under Expose and API > Scopes defined by this API in the GUI. When I create an App Registration in the GUI, I provide a name for it and a Redirect URI if necessary, but this user_impersonation scope is not created.

I thought that maybe it was something to do with the AzureAD module and it's specific connection to Azure AD, but the behaviour is the same when using New-AzADApplication, with the exception that this cmdlet requires -IdentifierUris to be specified too - which isn't necessary for all the apps we register.

Is there anyway to avoid the OAuth2Permissions being added when I create the App Registration via PowerShell?

Other things I have tried:

Setting -OAuth2Permissions as an empty list of the type [System.Collections.Generic.List`1[[Microsoft.Open.AzureAD.Model.OAuth2Permission, Microsoft.Open.AzureAD16.Graph.Client, Version=0.1.599.7, Culture=neutral, PublicKeyToken=null]]
Using Get-AzureADOAuth2PermissionGrant to try and find the permission and remove it after. It's not there.

If I cannot avoid this at creation or remove it, then please provide information on:

Why this permission is necessary as default.
Why the GUI doesn't deem it to be necessary.

Example:

Connect-AzureAD
$GraphRead = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq '00000003-0000-0000-c000-000000000000'}
$RRA = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$RRA.ResourceAppId = $GraphRead.AppId
$ResAcc = New-Object -TypeName "microsoft.open.azuread.model.resourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "Scope"
$RRA.ResourceAccess = $ResAcc
$Test = New-AzureADApplication -DisplayName "PoshTest" -ReplyUrls "https://visualstudio/spn" -RequiredResourceAccess @($RRA)

Object:

$Test | FL *

DeletionTimestamp          : 
ObjectId                   : ************************************
ObjectType                 : Application
AddIns                     : {}
AppId                      : ************************************
AppRoles                   : {}
AvailableToOtherTenants    : False
DisplayName                : PoshTest
ErrorUrl                   : 
GroupMembershipClaims      : 
Homepage                   : 
IdentifierUris             : {}
KeyCredentials             : {}
KnownClientApplications    : {}
LogoutUrl                  : 
Oauth2AllowImplicitFlow    : False
Oauth2AllowUrlPathMatching : False
Oauth2Permissions          : {class OAuth2Permission {
                               AdminConsentDescription: Allow the application to access PoshTest on behalf of the 
                             signed-in user.
                               AdminConsentDisplayName: Access PoshTest
                               Id: ************************************
                               IsEnabled: True
                               Type: User
                               UserConsentDescription: Allow the application to access PoshTest on your behalf.
                               UserConsentDisplayName: Access PoshTest
                               Value: user_impersonation
                             }
                             }
Oauth2RequirePostResponse  : False
PasswordCredentials        : {}
PublicClient               : 
RecordConsentConditions    : 
ReplyUrls                  : {https://visualstudio/spn}
RequiredResourceAccess     : {class RequiredResourceAccess {
                               ResourceAppId: 00000003-0000-0000-c000-000000000000
                               ResourceAccess: 
                             System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.ResourceAccess]
                             }
                             }
SamlMetadataUrl            :

PowerShell Details

$PSVersionTable | select PSVersion,PSEdition,OS,Platform | FL *

PSVersion : 7.0.2
PSEdition : Core
OS        : Darwin 18.7.0 Darwin Kernel Version 18.7.0: Mon Apr 27 20:09:39 PDT 2020; 
            root:xnu-4903.278.35~1/RELEASE_X86_64
Platform  : Unix

Get-Module -Name AzureAD.Standard.Preview

ModuleType Version    PreRelease Name
---------- -------    ---------- ----
Script     0.1.599.7             AzureAD.Standard.Preview

Difference In GUI

Ash

I have managed to work this out so wanted to leave an appropriate breakdown of the answer for others who may also be trying to remove this permission from their App Registration.

I was on the right path with an empty [Microsoft.Open.AzureAD.Model.OAuth2Permission] list as I had explored above.

If you apply this via New-AzureADApplication when creating your app, it will have absolutely no effect.

If you apply this directly via Set-AzureADApplication after creating your new App Registration you will get an error like this:

Set-AzureADApplication: Error occurred while executing SetApplication 
Code: Request_BadRequest
Message: Property  value cannot be deleted or updated unless it is disabled first.
RequestId: ********-****-****-*****************
DateTimeStamp: Thu, 02 Jul 2020 10:11:54 GMT
Details: PropertyName  - None, PropertyErrorCode  - CannotDeleteEnabledEntitlement
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed

So the solution is to first create a new list, add the old scope to it while setting the value IsEnabled to $false.

# New Azure AD Application
Connect-AzureAD
$GraphRead = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq '00000003-0000-0000-c000-000000000000'}
$RRA = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$RRA.ResourceAppId = $GraphRead.AppId
$ResAcc = New-Object -TypeName "microsoft.open.azuread.model.resourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d", "Scope"
$RRA.ResourceAccess = $ResAcc
$Test = New-AzureADApplication -DisplayName "PoshTest" -ReplyUrls "https://visualstudio/spn" -RequiredResourceAccess @($RRA)

# Disable the App Registration scope.
$Scopes = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.OAuth2Permission]
$Scope = $Test.Oauth2Permissions | Where-Object { $_.Value -eq "user_impersonation" }
$Scope.IsEnabled = $false
$Scopes.Add($Scope)
Set-AzureADApplication -ObjectId $Test.ObjectID -Oauth2Permissions $Scopes

You can finally remove the OAuth2Permssion completely by then applying an empty list to it.

$EmptyScopes = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.OAuth2Permission]
Set-AzureADApplication -ObjectId $Test.ObjectID -Oauth2Permissions $EmptyScopes

Use Get-AzureADApplication to obtain the up-to-date information for the object and you should see that the OAuth2Permissions list is now empty.

$Test = Get-AzureADApplication -ObjectId $Test.ObjectID
$Test | FL *

DeletionTimestamp          : 
ObjectId                   : ********-****-****-*****************
ObjectType                 : Application
AddIns                     : {}
AppId                      : ********-****-****-*****************
AppRoles                   : {}
AvailableToOtherTenants    : False
DisplayName                : PoshTest
ErrorUrl                   : 
GroupMembershipClaims      : 
Homepage                   : 
IdentifierUris             : {}
KeyCredentials             : {}
KnownClientApplications    : {}
LogoutUrl                  : 
Oauth2AllowImplicitFlow    : False
Oauth2AllowUrlPathMatching : False
Oauth2Permissions          : {}
Oauth2RequirePostResponse  : False
PasswordCredentials        : {}
PublicClient               : 
RecordConsentConditions    : 
ReplyUrls                  : {https://visualstudio/spn}
RequiredResourceAccess     : {class RequiredResourceAccess {
                               ResourceAppId: 00000003-0000-0000-c000-000000000000
                               ResourceAccess: 
                             System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.ResourceAccess]
                             }
                             }
SamlMetadataUrl            :

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at2020-12-16

Comments

0 comments

TOP Ranking

Article

How can I create a new Azure App Registration without the user_impersonation OAuth2Permission?

How can I create a new Azure App Registration without the user_impersonation OAuth2Permission?

Loopback Error: connect ECONNREFUSED 127.0.0.1:3306 (MAMP)

Can't pre-populate phone number and message body in SMS link on iPhones when SMS app is not running in the background

pump.io port in URL

How to import an asset in swift using Bundle.main.path() in a react-native native module

Failed to listen on localhost:8000 (reason: Cannot assign requested address)

Spring Boot JPA PostgreSQL Web App - Internal Authentication Error

Emulator wrong screen resolution in Android Studio 1.3

3D Touch Peek Swipe Like Mail

Double spacing in rmarkdown pdf

Svchost high CPU from Microsoft.BingWeather app errors

How to how increase/decrease compared to adjacent cell

Using Response.Redirect with Friendly URLS in ASP.NET

java.lang.NullPointerException: Cannot read the array length because "<local3>" is null

BigQuery - concatenate ignoring NULL

How to fix "pickle_module.load(f, **pickle_load_args) _pickle.UnpicklingError: invalid load key, '<'" using YOLOv3?

ngClass error (Can't bind ngClass since it isn't a known property of div) in Angular 11.0.3

Can a 32-bit antivirus program protect you from 64-bit threats

Make a B+ Tree concurrent thread safe

Bootstrap 5 Static Modal Still Closes when I Click Outside

Vector input in shiny R and then use it

Assembly definition can't resolve namespaces from external packages