Hero Banner

Secure Application Model

Learn and ask questions on how to implement secure application model

Take the survey
Reply
MadsW
Level 1 Contributor
‎03-24-2022 03:47 AM
Level 1 Contributor
‎03-24-2022 03:47 AM

Help with Azure App Registration through powershell and specific grant consent as delegated admin

I am using powershell script to create azure app registration to give api access to an app.
Everything works great, but I cannot grant consent from my script as an delegated admin. If I log onto tenants Azure portal and manually click consent, things work.
Bits of my script:
Import-Module AzureAD
//Here I use my own company account, to log in as delegated admin on tenants Az Ad
Connect-AzureAD -TenantId $tenantId
...creating the app, giving the various permissions etc...
//Trying to open browser to grant consent:
$consentURL = "https://login.microsoftonline.com/$tenantId/adminconsent?client_id=$($appObject.AppId)"
Start-Process $consentURL
That gives me error (in the opened browser page):
Sorry, but we’re having trouble signing you in.
AADSTS90099: The application id and name has not been authorized in the tenant tenantid. Applications must be authorized to access the customer tenant before partner delegated administrators can use them.

How can i grant consent using powershell?

Thanks

0 Kudos
1 ACCEPTED SOLUTION
sansbacher
Level 6 Contributor
‎03-28-2022 08:28 AM
Level 6 Contributor
In response to MadsW
‎03-28-2022 08:28 AM

Hi @MadsW ,

 

Unfortunately I don't think so - not in the way I believe you are trying to do things. 

 

You certainly CAN use Azure CLI in PowerShell scripts, even with AzureAD/Az PowerShell module cmdlets -- BUT you need to pass plain-text to the Azure CLI (it doesn't use objects, or where it does it expects JSON)... AND you will need to log into Azure CLI separately. This isn't a big deal (for day to day command-line usage, you'd just have to type your password twice, for example) -- but it doesn't look like the Azure CLI az login supports any Delegated options. There's a --federated-token option that may work, you'd have to try (assuming you have previously generated and acquired an AccessToken from a RefreshToken).

 

But ultimately: I think what you're trying to do isn't possible, it sounds like you want to run a script that will create an App in each Customer Tenant AND grant Consent for that App. As far as I know the Consent process is supposed to be interactive: it's so a person can Consent to what the App will be able to do on their behalf. It's a one-time process that says "I consent to this App acting as me". If it could be done all silently then that would be much more risky since a bad-actor could convince you to run a single script that would be able to act on your behalf with full control.

 

I could be wrong, maybe it's possible. But every Consent I have done has been like the URL example: it pops up and you need to log in as the person granting the Consent and click "Consent" for it to work. It's never been fully automated. Sorry if I'm misinterpreting what you're trying to do.

 

   --Saul

View solution in original post

0 Kudos
5 REPLIES 5
sansbacher
Level 6 Contributor
‎03-24-2022 08:56 AM
Level 6 Contributor
‎03-24-2022 08:56 AM

Hi Mads,

I'm slightly confused. Are you trying to grant Consent non-interactively (by script only, without having to click any buttons)? I'm not sure that is possible with PowerShell. But you may be able to do it with the Azure CLI, which you can install along side PowerShell and call from PowerShell. The command would be like:

az ad app permission admin-consent --id $($appObject.AppId)

 

I have not tried this so I don't know if it works. You'll need to log into the tenant (unless you have Delegated Permissions from your tenant) using az login first. Care must be taken when passing parameters from PowerShell to non-PowerShell commands. Sometimes you need to use Invoke-Command, or the '--%' trick.

 

OR: If you are just trying to generate the Consent URL and open it in a browser so you can easily click Consent? In that case, the problem is probably that Start-Process just opens the $consentURL in your default browser, which is probably logged in to your tenant as you. Sounds like you need to log into a Customer's Tenant as a Customer Admin and grant Consent as the Customer. So you need the URL to open in an Incognito window, so you can log in as the Customer, not as yourself. You could copy the URL to the clipboard ($consentURL | clip) and then paste that into an Incognito window (or a new browser). OR instead of Start-Process be explicit and call, for example, Chrome with -incognito: chrome.exe -incognito, like:

& "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" -incognito $consentURL

 

Also, have you confirmed that the generated URL is correct? Does it work if you log into the Client Tenant and paste in the URL?

   --Saul

 

0 Kudos
MadsW
Level 1 Contributor
‎03-25-2022 10:47 AM
Level 1 Contributor
In response to sansbacher
‎03-25-2022 10:47 AM

Hi,

I am trying to do by script only. But the consent url was the only possibility I could find. 
Would the azure cli also be possible to run as delegated admin? 
Could I use script as today and only use azure cli to grant consent within the same script?

0 Kudos
sansbacher
Level 6 Contributor
‎03-28-2022 08:28 AM
Level 6 Contributor
In response to MadsW
‎03-28-2022 08:28 AM

Hi @MadsW ,

 

Unfortunately I don't think so - not in the way I believe you are trying to do things. 

 

You certainly CAN use Azure CLI in PowerShell scripts, even with AzureAD/Az PowerShell module cmdlets -- BUT you need to pass plain-text to the Azure CLI (it doesn't use objects, or where it does it expects JSON)... AND you will need to log into Azure CLI separately. This isn't a big deal (for day to day command-line usage, you'd just have to type your password twice, for example) -- but it doesn't look like the Azure CLI az login supports any Delegated options. There's a --federated-token option that may work, you'd have to try (assuming you have previously generated and acquired an AccessToken from a RefreshToken).

 

But ultimately: I think what you're trying to do isn't possible, it sounds like you want to run a script that will create an App in each Customer Tenant AND grant Consent for that App. As far as I know the Consent process is supposed to be interactive: it's so a person can Consent to what the App will be able to do on their behalf. It's a one-time process that says "I consent to this App acting as me". If it could be done all silently then that would be much more risky since a bad-actor could convince you to run a single script that would be able to act on your behalf with full control.

 

I could be wrong, maybe it's possible. But every Consent I have done has been like the URL example: it pops up and you need to log in as the person granting the Consent and click "Consent" for it to work. It's never been fully automated. Sorry if I'm misinterpreting what you're trying to do.

 

   --Saul

0 Kudos
MadsW
Level 1 Contributor
‎03-29-2022 12:12 AM
Level 1 Contributor
In response to sansbacher
‎03-29-2022 12:12 AM

Hi @sansbacher 

Thank you for great feedback! 

Since I am running things as delegated admin, I'll keep my script the way it is. Only change is that I'll change the consent url to open the tenants AzurePortal, and onto the app registration. Then I can click grant consent in that window manually.

0 Kudos
sansbacher
Level 6 Contributor
‎03-29-2022 10:39 AM
Level 6 Contributor
In response to MadsW
‎03-29-2022 10:39 AM

You're welcome, glad to help. Yes, that sounds like a good idea. Having it go directly to the Tenant's portal and into the correct App Registration blade will probably streamline the process. And as I mentioned before, if you run into issues because it opens in a browser where you are logged in, just have it start a new Incognito session.

 

Even if the process is manual, hopefully it is only one-time!

   --Saul

Follow Us
    Share