Home > front end >  Cannot set OAuth2Permissions for Azure Application Registration in Graph PowerShell
Cannot set OAuth2Permissions for Azure Application Registration in Graph PowerShell

Time:12-13

What is the correct format for the value used for setting OAuth2Permissions in the Update-MgApplication/New-MgApplication cmdlets (to update the scopes in the "Scopes defined by this API" section of the "Expose an API" page)?

It appears from the documentation that the Oauth2PermissionScopes object needs to be set via the -Api parameter, using a IMicrosoftGraphApiAppliction object that contains the Oauth2PermissionScopes object as an object/array of type IMicrosoftGraphPermissionScope[].

This is what I've tried:

$appRegName = "My App Reg"
$userConsentDisplayName = "Access $($appRegName)"
$userConsentDescription = "Allow the application to access $($appRegName) on your behalf."
$adminConsentDisplayName = "Access $($appRegName)"
$adminConsentDescription = "Allow the application to access $($appRegName) on behalf of the signed-in user."    

$oauth2PermissionsScopes = @{
    Oauth2PermissionScopes = @{
        AdminConsentDescription = $adminConsentDescription
        AdminConsentDisplayName = $adminConsentDisplayName
        UserConsentDescription  = $userConsentDescription
        UserConsentDisplayName  = $userConsentDisplayName
    }
}
$api = @{
    Api = $oauth2PermissionsScopes
}
Update-MgApplication -ApplicationId $clientAadApplication.Id -Api $api
#^Causes this error: "A resource without a type name was found, but no expected type was specified. To allow entries without type information, the expected type must also be specified when the model is specified."

$oauth2PermissionsScopes = @{
    Oauth2PermissionScopes = @{
        AdminConsentDescription = $adminConsentDescription
        AdminConsentDisplayName = $adminConsentDisplayName
        UserConsentDescription  = $userConsentDescription
        UserConsentDisplayName  = $userConsentDisplayName
    }
}
Update-MgApplication -ApplicationId $clientAadApplication.Id -Api $oauth2PermissionsParams
#^This doesn't generate an error, but nothing is set. The body of the PATCH request shows as (and generates a 204 No Content response):
#{
#  "api": {
#    "oauth2PermissionScopes": [ ]
#  }
#}

What is wrong with my format or usage of the cmdlet parameters?

CodePudding user response:

apiApplication has property Oauth2PermissionScopes which is an array of IMicrosoftGraphPermissionScope.

You need to build a hash table with an array

$apiApplication = @{
    oauth2PermissionScopes = @(
        # first item
        @{
            AdminConsentDescription = $adminConsentDescription
            AdminConsentDisplayName = $adminConsentDisplayName
            UserConsentDescription  = $userConsentDescription
            UserConsentDisplayName  = $userConsentDisplayName
        }
    )
}

Update-MgApplication -ApplicationId $clientAadApplication.Id -Api $apiApplication

For validation you can run $apiApplication | ConvertTo-Json to check how the json will look like.

{
    "oauth2PermissionScopes": [
      {
          "UserConsentDescription":  null,
          "AdminConsentDescription":  null,
          "AdminConsentDisplayName":  null,
          "UserConsentDisplayName":  null
      }
   ]
}

Similar for New-MgApplication

$params = @{
    DisplayName = "My App",
    Api = @{
        Oauth2PermissionScopes = @(
            @{
                AdminConsentDescription = $adminConsentDescription
                AdminConsentDisplayName = $adminConsentDisplayName
                UserConsentDescription  = $userConsentDescription
                UserConsentDisplayName  = $userConsentDisplayName
            }
        )
}

New-MgApplication -BodyParameter $params

CodePudding user response:

Correcting the format of the parameter to ensure a proper hash table (as per the answer from @user2250152) is a partial fix. The main issue when setting OAuth2 permission scopes that don't already exist in the Application Registration is the requirement to set additional properties other than the *Description and *DisplayName fields (Id, IsEnabled, Type and Value is also required):

$apiApplication = @{
    oauth2PermissionScopes = @(
        @{
            AdminConsentDescription = $adminConsentDescription
            AdminConsentDisplayName = $adminConsentDisplayName
            UserConsentDescription  = $userConsentDescription
            UserConsentDisplayName  = $userConsentDisplayName
            Id                      = New-Guid
            IsEnabled               = $true
            Type                    = "User"
            Value                   = "user_impersonation"
        }
    )
}

#$clientAadApplication variable is set 'off-script' (must use the Id of the Application Registration set to that variable from Get-MgApplication or as a result of New-MgApplication)
Update-MgApplication -ApplicationId $clientAadApplication.Id -Api $apiApplication
  • Related