管理员同意失败,适用于AAD应用程序

huangapple go评论77阅读模式
英文:

Admin Consent failed for AAD application

问题

I have global adminstrator permission and When i try to do admin consent to AAD Application permissions i am getting below error.

az : ERROR: Bad Request({"ClassName":"Microsoft.Portal.Framework.Exceptions.ClientException","Message":"Graph call failed with httpCode=BadRequest, errorCode=Request_BadRequest, errorMessage=The application needs access to a service that your organization aadb2c01 has not subscribed to. Please contact your administrator to review the configuration of your service subscriptions. At line:141 char:13
+ az ad app permission admin-consent --id "$($app.Id)"

After some research i found when spn(created in protal) is avaiable for application i can able to provide admin consent without the above error. I want to use powershell script to do admin consent

Used commands to create AAD application:
New-AzureADApplication -DisplayName "test"

Admin consent:
az ad app permission admin-consent --id "$($app.Id)"

Need solution to do admin consent

英文:

I have global adminstrator permission and When i try to do admin consent to AAD Application permissions i am getting below error.

az : ERROR: Bad Request({"ClassName":"Microsoft.Portal.Framework.Exceptions.ClientException","Message":"Graph call failed with
httpCode=BadRequest, errorCode=Request_BadRequest, errorMessage=The application needs access to a service that your organization
aadb2c01 has not subscribed to. Please contact your administrator to review the configuration of your service
subscriptions.
At line:141 char:13

+ az ad app permission admin-consent --id "$($app.Id)"

After some research i found when spn(created in protal) is avaiable for application i can able to provide admin consent without the above error. I want to use powershell script to do admin consent

Used commands to create AAD application:
New-AzureADApplication -DisplayName "test"

Admin consent:
az ad app permission admin-consent --id "$($app.Id)"

Need solution to do admin consent

答案1

得分: 0

I tried the same in my environment and got the results successfully like below:

Connect-AzureAD
New-AzureADApplication -DisplayName "ruktest"

az login --allow-no-subscriptions
az ad app permission admin-consent --id AppId

By using the above commands, Admin consent got granted successfully to the API permissions like below:

To resolve the error, check the below:

I agree with @mikesh, make sure that the Azure Service Principal exists for the Azure AD Application you have created. If not, create the Service Principal by using below command:

Connect-AzureAD

New-AzureADServicePrincipal -AccountEnabled $true -AppId AppID -AppRoleAssignmentRequired $true -DisplayName $App -Tags {WindowsAzureActiveDirectoryIntegratedApp}

To Connect-AzureAD, make sure you are connecting with the user which exists in Azure AD B2C tenant and has Global Administrator role assigned:

If still the issue persists, try recreating the Azure AD Application and check.

Reference:

Apps & service principals in Azure AD - Microsoft Entra

英文:

I tried the same in my environment and got the results successfully like below:

Connect-AzureAD
New-AzureADApplication -DisplayName "ruktest"

az login --allow-no-subscriptions
az ad app permission admin-consent --id AppId

管理员同意失败,适用于AAD应用程序

By using the above commands, Admin consent got granted successfully to the API permissions like below:

管理员同意失败,适用于AAD应用程序

To resolve the error, check the below:

I agree with @mikesh, make sure that the Azure Service Principal exists for the Azure AD Application you have created. If not, create the Service Principal by using below command:

Connect-AzureAD

New-AzureADServicePrincipal -AccountEnabled $true -AppId AppID -AppRoleAssignmentRequired $true -DisplayName $App -Tags {WindowsAzureActiveDirectoryIntegratedApp}

管理员同意失败,适用于AAD应用程序

To Connect-AzureAD, make sure you are connecting with the user which exists in Azure AD B2C tenant and has Global Administrator role assigned:

管理员同意失败,适用于AAD应用程序

If still the issue persists, try recreating the Azure AD Application and check.

Reference:

Apps & service principals in Azure AD - Microsoft Entra

答案2

得分: 0

如@mikesh在评论中提到的,当我们在门户中使用向导时,它会创建一个应用程序和一个服务主体。因此,如果您想在PowerShell中创建相同的内容,那么我们需要使用New-AzureADApplication和New-AzureADServicePrincipal两个命令。

$myapp=New-AzureADApplication -DisplayName "myapp"
Connect-AzAccount -TenantId $B2CTenantId -Credential $creds
New-AzADServicePrincipal -ApplicationId "$($myapp.AppId)"

创建了myapp的服务主体后,可以无任何问题地执行管理员同意。

英文:

As @mikesh mentioned in comments, when we use wizard in the portal, it creates both an Application and a Service Principal. So, if you want to create the same in PowerShell, then we need to use New-AzureADApplication and New-AzureADServicePrincipal both

$myapp=New-AzureADApplication -DisplayName "myapp"
Connect-AzAccount -TenantId $B2CTenantId -Credential $creds
New-AzADServicePrincipal -ApplicationId "$($myapp.AppId)" 

After creating spn for myapp can able to do admin consent without any issue.

huangapple
  • 本文由 发表于 2023年6月26日 20:17:05
  • 转载请务必保留本文链接:https://go.coder-hub.com/76556606.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定