英文:
Admin Consent failed for AAD application
问题
I have global adminstrator permission and When i try to do admin consent to AAD Application permissions i am getting below error.
az : ERROR: Bad Request({"ClassName":"Microsoft.Portal.Framework.Exceptions.ClientException","Message":"Graph call failed with httpCode=BadRequest, errorCode=Request_BadRequest, errorMessage=The application needs access to a service that your organization aadb2c01 has not subscribed to. Please contact your administrator to review the configuration of your service subscriptions. At line:141 char:13
+ az ad app permission admin-consent --id "$($app.Id)"
After some research i found when spn(created in protal) is avaiable for application i can able to provide admin consent without the above error. I want to use powershell script to do admin consent
Used commands to create AAD application:
New-AzureADApplication -DisplayName "test"
Admin consent:
az ad app permission admin-consent --id "$($app.Id)"
Need solution to do admin consent
英文:
I have global adminstrator permission and When i try to do admin consent to AAD Application permissions i am getting below error.
az : ERROR: Bad Request({"ClassName":"Microsoft.Portal.Framework.Exceptions.ClientException","Message":"Graph call failed with
httpCode=BadRequest, errorCode=Request_BadRequest, errorMessage=The application needs access to a service that your organization
aadb2c01 has not subscribed to. Please contact your administrator to review the configuration of your service
subscriptions.
At line:141 char:13
+ az ad app permission admin-consent --id "$($app.Id)"
After some research i found when spn(created in protal) is avaiable for application i can able to provide admin consent without the above error. I want to use powershell script to do admin consent
Used commands to create AAD application:
New-AzureADApplication -DisplayName "test"
Admin consent:
az ad app permission admin-consent --id "$($app.Id)"
Need solution to do admin consent
答案1
得分: 0
I tried the same in my environment and got the results successfully like below:
Connect-AzureAD
New-AzureADApplication -DisplayName "ruktest"
az login --allow-no-subscriptions
az ad app permission admin-consent --id AppId
By using the above commands, Admin consent got granted successfully to the API permissions like below:
To resolve the error, check the below:
I agree with @mikesh, make sure that the Azure Service Principal exists for the Azure AD Application you have created. If not, create the Service Principal by using below command:
Connect-AzureAD
New-AzureADServicePrincipal -AccountEnabled $true -AppId AppID -AppRoleAssignmentRequired $true -DisplayName $App -Tags {WindowsAzureActiveDirectoryIntegratedApp}
To Connect-AzureAD, make sure you are connecting with the user which exists in Azure AD B2C tenant and has Global Administrator role assigned:
If still the issue persists, try recreating the Azure AD Application and check.
Reference:
Apps & service principals in Azure AD - Microsoft Entra
英文:
I tried the same in my environment and got the results successfully like below:
Connect-AzureAD
New-AzureADApplication -DisplayName "ruktest"
az login --allow-no-subscriptions
az ad app permission admin-consent --id AppId
By using the above commands, Admin consent got granted successfully to the API permissions like below:
To resolve the error, check the below:
I agree with @mikesh, make sure that the Azure Service Principal exists for the Azure AD Application you have created. If not, create the Service Principal by using below command:
Connect-AzureAD
New-AzureADServicePrincipal -AccountEnabled $true -AppId AppID -AppRoleAssignmentRequired $true -DisplayName $App -Tags {WindowsAzureActiveDirectoryIntegratedApp}
To Connect-AzureAD, make sure you are connecting with the user which exists in Azure AD B2C tenant and has Global Administrator role assigned:
If still the issue persists, try recreating the Azure AD Application and check.
Reference:
答案2
得分: 0
如@mikesh在评论中提到的,当我们在门户中使用向导时,它会创建一个应用程序和一个服务主体。因此,如果您想在PowerShell中创建相同的内容,那么我们需要使用New-AzureADApplication和New-AzureADServicePrincipal两个命令。
$myapp=New-AzureADApplication -DisplayName "myapp"
Connect-AzAccount -TenantId $B2CTenantId -Credential $creds
New-AzADServicePrincipal -ApplicationId "$($myapp.AppId)"
创建了myapp的服务主体后,可以无任何问题地执行管理员同意。
英文:
As @mikesh mentioned in comments, when we use wizard in the portal, it creates both an Application and a Service Principal. So, if you want to create the same in PowerShell, then we need to use New-AzureADApplication and New-AzureADServicePrincipal both
$myapp=New-AzureADApplication -DisplayName "myapp"
Connect-AzAccount -TenantId $B2CTenantId -Credential $creds
New-AzADServicePrincipal -ApplicationId "$($myapp.AppId)"
After creating spn for myapp can able to do admin consent without any issue.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论