Removing an AppRole from an Application’s manifest produces a 400 Bad Request with the error
Property value cannot be deleted unless it is disabled first.
When I set the isEnabled property to false and then hit save, I get a successful saven with a 200 OK looking at the browsers developer tools:
After reloading the Edit manifest screen the isEnabled property is still true and if you look at the PUT response in the browsers developer tools, it's coming back as true there too.
How can I remove an appRole without having to delete and recreate the entire application?
Update
I've raised the following bug.
This bug is fixed now. All you have to do is set isEnabled to false and save. Then you can delete the role and save again. A Work-around is not necessary.
To Delete the Application Role:
Go to application Manifest.
App Role you want to delete, change the value of isEnabled to false.
Save the manifest.
Delete the that approle.
Again save it.
Until this gets fixed, there two options to work around this issue:
Using Azure AD PowerShell, you can disable and then remove the app role. Here's a sample script that would achieve this:
$appId = "83d7d56d-6e64-4791-b8e8-9a8da8dd957e"
$appRoleValue = "app-role-value" # i.e. the scope
Connect-AzureAD
# Disable the AppRole
$app = Get-AzureADApplication -Filter "appId eq '$appId'"
($app.AppRoles | Where-Object { $_.Value -eq $appRoleValue }).IsEnabled = $false
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $app.AppRoles
# Remove the AppRole
$toRemove = $app.AppRoles | Where-Object { $_.Value -eq $appRoleValue }
$app.AppRoles.Remove($toRemove) | Out-Null
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $app.AppRoles
An alternative option is to user the Azure AD Graph Explorer and issue two PATCH requests on the Application object. The first PATCH request should set the app role's isEnabled attribute to false. The second PATCH request can then remove the app role (i.e. include all existing app roles except the disabled one).
It seems a bug in new portal . The save operation doesn't save isEnabled to false on server side . Any feedback , you could post to here .
Currently , you could use Azure AD classic portal to modify the app roles in manifest(download the manifest and then upload manifest that changed) . Delete app roles in classic portal works fine in my environment . Please let me know if it helps.
I have had the same error message Property value cannot be deleted unless it is disabled first. because I have created the scope on one page page and tried to add it manually in the Manifest on another web page. Little I knew the manifest was updated automatically and I just needed to reload it.
You cannot delete the assigned roles which are enabled, you first have to set the flag isEnable to false and save the manifest for the roles which you want to delete like this -->"isEnabled": false in the manifest and now try to delete the whole appRoles part.
This is a two-step process but works.
Navigate to your Application
Go to App Roles
Click on the app role display name
Untick the checkbox to disable the Role
Go back to the manifest and make changes to the appRoles section as you need
Save and it should be updated
Related
I am updating all employees in Azure AD fields to have the same data from bamboo HR
but when I try to update the mobile phone it shows me an error do anyone have solution?
I tried this code to update the job title and display name and its works
Update-AzADUser -UPNOrObjectId $UserPrincipalName -JobTitle $jobTitle
but there is nothing called -Mobilephone
That field does seem to be missing as an option on Update-AzADUser but there is a -Mobile parameter on Set-AzureADUser from the AzureAD module. Once you have that installed, try:
Set-AzureADUser -ObjectId $UserPrincipalName -JobTitle $jobTitle -Mobile $Mobile
-- https://learn.microsoft.com/en-us/powershell/module/azuread/set-azureaduser?view=azureadps-2.0
I've written a powershell script that allows me to query azure for my azure ad policies like this:
Connect-AzureAD
$currentpolicy = Get-AzureADPolicy -All $true | ?{$_.Type -eq 'B2BManagementPolicy'} | select -First 1
$currentpolicy
$newPolicyValue = #("{`"B2BManagementPolicy`":{`"InvitationsAllowedAndBlockedDomainsPolicy`":{`"AllowedDomains`": [`"a.com`",`"b.org`",`"c.org`",`"d.com`"],`"BlockedDomains`": []}}}")
}
#update existing. This works. tested.
Set-AzureADPolicy -Definition $newPolicyValue -Id $currentpolicy.Id
This works because I'm signing in with an account that's got "owner" / global admin permissions. Now we wnat to try to figure out the specific permissions that are needed and just assign those to a new AD app registration.
I've created a service principal with a cert, and I changed my code like this:
Connect-AzureAD -TenantId $tid -ApplicationId $appid -CertificateThumbprint $thumb
$currentpolicy = Get-AzureADPolicy -All $true | ?{$_.Type -eq 'B2BManagementPolicy'} | select -First 1
$currentpolicy
I didn't add any specific permissions yet, and so when I run my script, I see the following error:
Get-AzureADPolicy : Error occurred while executing GetPolicies
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
InnerError:
RequestId: d88cd5d5-f8c9-4a4d-928b-986e0d5c25eb
DateTimeStamp: Thu, 16 Jun 2022 19:06:45 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At C:\Users\me\Documents\src\test\setPolicy.ps1:4 char:18
+ $currentpolicy = Get-AzureADPolicy -All $true | ?{$_.Type -eq 'B2BMan ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-AzureADPolicy], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.MSGraphBeta.Client.ApiException,Microsoft.Open.MSGraphBeta.PowerShell.GetPolicy
Ideally, we want to use MS Graph permissions to do this. So i've been poking around in Azure, under the "API Permissions" for this application registration, but so far I haven't figured out which permission I need to add.
PS I know that the AzureADPreview and AzureAD is going away. But so far, it's the only way that I can automate these tasks. I have another stack question open about how to get this entire thing working via Graph
EDIT 1
I've tried the following permissions and none of them work so far...
EDIT 2
I've granted Policy.Read.All and now I can read the policies. Now it fails trying to update the existing policy.
It'd be nice to know specificially which read permission is needed so I don't have to grant all.
As far as write permissions, I've granted everything that comes up when I search for "policy" but none of them allow me to write!
EDIT 3
I've added the policy.readwrite.applicationconfiguration but that doesn't allow me to write. I'm still get the insufficient privleges error when I try to call Set-AzureADPolicy.
I don't know if you have found an answer, but as this is one of the first results that came up, I will add my findings.
I could get nowhere from giving specific permissions to the Service Principal but adding the Security Administrator role to the app did the trick. I didn't want to give the service principal so much access, but I tried a lot of roles and permission combinations, and none were sufficient.
Apparently, the documentation states that the least privileged role that is able to configure B2B external collaboration settings is the Global Administrator. Although for this case specifically, of changing the B2BManagementPolicy via PowerShell with a service principal, the Security Administration role was enough in my testing.
Looking at the actions that this role can perform I suspect it's because it has access to microsoft.directory/policies/basic/update, but I can't be sure.
Note: When adding a role to an App registration in Azure AD you need to search for its name when selecting the members, as they don't show by default.
Thanks for reaching out , with the help you read access , you will only able to get the data ,if you want to add or update you should have write permission as well , please add permission Policy.ReadWrite.ApplicationConfiguration and try again .
ref doc - https://learn.microsoft.com/en-us/graph/api/tenantappmanagementpolicy-update?view=graph-rest-beta&tabs=http
Edit 2
Update policy is available for PowerShell 2.0 preview
To update you need to use
Set-AzureADPolicy -ObjectId -DisplayName
To learn more about Set-AzureADPolicy, please checkout - https://learn.microsoft.com/en-us/powershell/module/azuread/set-azureadpolicy?view=azureadps-2.0-preview&viewFallbackFrom=azureadps-2.0
Thanks
I am working on a project that provisions users into Azure B2C via Azure Graph API call and we got a requirement to disable the users if they are terminated from company. The Termination Date can be anything (Past/Present/Future). If I know the termination date, Can I disable that particular user from B2C instance using the termination date?
I'm not clear what you mean by "disable":
You can DELETE a B2C principal at any time.
You can also delete a B2C principal at a pre-determined time. For example, by running a script that invokes an Azure Graph API call.
Alternatively, you can retain the principal, but block signin. There are several ways to do this. For example:
MSDN: Disable user sign-ins for an enterprise app in Azure Active
Directory
Powershell script:
# The AppId of the app to be disabled
$appId = "{AppId}"
# Check if a service principal already exists for the app
$servicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
if ($servicePrincipal) {
# Service principal exists already, disable it
Set-AzureADServicePrincipal -ObjectId $servicePrincipal.ObjectId -AccountEnabled $false
} else {
# Service principal does not yet exist, create it and disable it at the same time
$servicePrincipal = New-AzureADServicePrincipal -AppId $appId -AccountEnabled $false
}
Just to expand #paulms4 answer:
You can disable the user by setting:
"accountEnabled": false,
Trying to get an Logic App to get email message details via Graph API because the O365 Outlook Connector does not provide the output I need but Graph API does (Internet message headers).
The Outlook connector creates an API Connection for authentication and that works great.
To call Graph API I am using the HTTP action and it supports Managed Identity, so I'm wondering:
Can I grant permission such that the Managed Identity can read a certain mailbox?
Can the HTTP action use an API Connection (similar to what the Outlook connector does)?
1.Can I grant permission such that the Managed Identity can read a certain mailbox?
The managed identity is a service principal, which we can check it and its permissions in the Azure portal -> Azure Active Directory -> Enterprise applications. But we could not add new permissions in that, so we need to create a new AD App in the App registrations, add credentials to your app
, then grant the Mail.Read application permission of Microsoft Graph API, refer to this link. The permission is to call this api List messages(I suppose you want to use this api, if not, just follow the doc to find the application permission, add it.) At last, don't forget to click the Grant admin consent button.
In the logic app, use Active Directory OAuth for Authentication, https://graph.microsoft.com/ for Audience, and specific the URL, Client id, secret, etc, what need to call the MS graph api. xxx#microsoft.com is the user principal name, also is the mailbox address. I am not sure I understand the read a certain mailbox in your question correctly enough, if you mean you want to grant the permission just for only one mailbox, I will say there is no such permission in Microsft graph.
2.Can the HTTP action use an API Connection (similar to what the Outlook connector does)?
There is no pre-bulit connector for http action, you could try the Custom connectors in Logic Apps.
There is a way to add that application role permission to the Managed Identity. It is not possible to do that using the Azure Portal. You can verify in the Azure Portal that the steps below worked though. This method saves you creating a principal yourself and removes the need for client id/secret bookkeeping.
When you use Powershell, it is possible to add the Mail.Read application role permission to a managed identity, be it a system managed or user managed identity. There are other ways of performing the same steps, e.g. Azure CLI. But below is what I know works and have used.
The steps are usable for any identity and application with assignable app roles. So you can also add Sharepoint permissions to list sites, open an Excel sheet. But keep in mind that the Microsoft app roles are mostly all or nothing. It breaks the principle of least priviliged permissions.
I would love to know a generic way to avoid breaking the principle.
To assign an app role permission to a managed identity we need to know a couple of things:
the id of...
...the managed identity (e.g. "logic-app-identity")
...the application that has the application role (e.g. "Microsoft Graph")
...the id of the application role to assign to the managed identity (e.g. "Mail.Read")
And then we can assign the app role to the managed identity.
Set up some variables for readability
$managed_identity_name = "logic-app-identity"
$application_with_the_required_role_name = "Microsoft Graph"
$application_role_to_assign_name = "Mail.Read"
Use AzureAD module and login.
Use the AzureAd module from here
Import-Module AzureAd
Connect-AzureAd #shows popup to login
1. Get the managed identity id
# filter first server side, and in case of multiple results, the where ensures a single result
# -All is necessary because a managed identity is a sort of service principal
$managed_identity_id = (Get-AzureADServicePrincipal -All $true -SearchString $managed_identity_name | where DisplayName -eq $managed_identity_name).ObjectId
2. Get the application with the requested application roles
# -SearchString on "Microsoft Graph" returns two results, therefore the where clause to ensure a single result
# storing the returned object, because it contains the approles array
$application_with_the_required_role = (Get-AzureADServicePrincipal -SearchString "Microsoft Graph" | where DisplayName -eq "Microsoft Graph")
# fun fact: the ObjectId of the "Microsoft Graph" application is always: 94d0e336-e38a-4bfc-9b21-8fbb74b6b835
$application_with_the_required_role_id = $application_with_the_required_role.ObjectId
3. Get the application role id to assign to the managed identity
# the required id is now simply called Id
# fun fact: the ObjectId of the "Mail.Read" app role is always: 810c84a8-4a9e-49e6-bf7d-12d183f40d01
$application_role_to_assign_id = ($application_with_the_required_role.AppRoles | where Value -eq $application_role_to_assign_name).Id
Assign the app role to the managed identity
New-AzureADServiceAppRoleAssignment -ObjectId $managed_identity_id -PrincipalId $managed_identity_id -ResourceId $application_with_the_required_role_id -Id $application_role_to_assign_id
BONUS: verify-ish the assignment
# should list the assigned application to the identity, dig further for the specific app role
# (I don't know how :S)
Get-AzureADServiceAppRoleAssignedTo -ObjectId $managed_identity_id | fl
# and the other way around to list the identities assigned to the application
Get-AzureADServiceAppRoleAssignment -ObjectId $application_with_the_required_role_id | fl
I have an existing B2C app that I want to give graph access to.
I set this up previously but now want to replicate it but everything i can find is for new apps. I ysed the older graph but i think the article I used has been moved as everything is talking about the new Graph api
Is there a specific article for this, also if anyone has seen an article that describes the process from moving from Azure graph to Microsoft Graph (the new version) for a B2C app that would be great
Thanks
Register the application for the Graph API
In addition to registering the application in the B2C directory,
we must also create an application registration for the graph API.
The three key/id values you will need are the tenantId, ObjectId,
and AppPrincipalId.
To get the tenantId, log into the azure ad b2c directory in the new portal.
https://portal.azure.com/
Be sure you have the correct directory selected after you login
(top right corner).
Click on the help button (a question mark inside a circle) near the
top right corner of the page. In the menu that appears, click the
"Show diagnostics" option. This will display a JSON formatted output in
a new popup/window. Look for the "tenants" array and find the entry
with the display name of the directory you wish to register with the
application. The "id" attribute of that entry is the tenantId.
Example:
{
"clientSessionStartDate": {
//stuff will be here ...
},
//
// more shtuff you don't care about will be here ...
//
"tenants": [
{
"id": "SomeUUIDwithlike36charactersSometime",
"domainName": "yourtenantname.onmicrosoft.com",
"displayName": "displanynameoftenant",
"isSignedInTenant": true
},
// ... snippity lemon
]
// ... snip some more
}
You will also need a unique application Secret and AppPrincipalId to be
generated for the new application.
Also, to set the correct permissions for the application, you will need
its "ObjectId".
The process for registering the application and generating those values
is more complicated, and requires a special module for PowerShell
and the online login module to be downloaded and installed.
Also, be sure you have the latest version of PowerShell installed for
your system, or you will not be able to use the azure module.
Sign-In assistant: https://www.microsoft.com/en-us/download/details.aspx?id=41950
Azure AD PowerShell Module: http://go.microsoft.com/fwlink/p/?linkid=236297
Create the application registration with PowerShell
This next section is an almost verbatim copy-paste fo the documentation.
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/
After you install the PowerShell module, open PowerShell and connect to
your B2C tenant.
> $msolcred = Get-Credential
After you run Get-Credential, you will be prompted for
a user name and password, Enter the user name and password
of your B2C tenant administrator account.
> Connect-MsolService -credential $msolcred
Before you create your application, you need to generate a new client
secret. Your application will use the client secret to authenticate to
Azure AD and to acquire access tokens. You can generate a valid secret
in PowerShell:
> $bytes = New-Object Byte[] 32
> $rand = [System.Security.Cryptography.RandomNumberGenerator]::Create()
> $rand.GetBytes($bytes)
> $rand.Dispose()
> $newClientSecret = [System.Convert]::ToBase64String($bytes)
> $newClientSecret
The final command should print your new client secret. Copy it somewhere safe. You'll need it later. Now you can create your application by providing the new client secret as a credential for the app:
> New-MsolServicePrincipal -DisplayName "My New B2C Graph API App" -Type password -Value $newClientSecret
Example output:
DisplayName : My New B2C Graph API App
ServicePrincipalNames : {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
ObjectId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
AppPrincipalId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
TrustedForDelegation : False
AccountEnabled : True
Addresses : {}
KeyType : Password
KeyId : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
StartDate : 1/1/2017 1:33:09 AM
EndDate : 1/1/2017 1:33:09 AM
Usage : Verify
If you successfully create the application, it should print out
properties of the application like the ones above, but with a mix of alpha-numeric characters. You'll need both
ObjectId and AppPrincipalId, so copy those values, too.
You will also need the tenant ID of the B2C directory.
After you create an application in your B2C tenant, you need to assign
it the permissions it needs to perform user CRUD operations. Assign the
application three roles: directory readers (to read users), directory
writers (to create and update users), and a user account administrator
(to delete users). These roles have well-known identifiers, so you can
replace the -RoleMemberObjectId parameter with ObjectId from above and
run the following commands. To see the list of all directory roles,
try running Get-MsolRole.
> Add-MsolRoleMember -RoleObjectId 88d8e3e3-8f55-4a1e-953a-9b9898b8876b -RoleMemberObjectId <Your-ObjectId> -RoleMemberType servicePrincipal
> Add-MsolRoleMember -RoleObjectId 9360feb5-f418-4baa-8175-e2a00bac4301 -RoleMemberObjectId <Your-ObjectId> -RoleMemberType servicePrincipal
> Add-MsolRoleMember -RoleObjectId fe930be7-5e62-47db-91af-98c3a49a38b1 -RoleMemberObjectId <Your-ObjectId> -RoleMemberType servicePrincipal
You now have an application that has permission to create, read,
update, and delete users from your B2C tenant.
I totally forgot this great answer exists and this is how you do it
Authorize By Group in Azure Active Directory B2C