azure-samples / aad-dotnet-manage-service-principals Goto Github PK

Hi,

Getting the below errors while run the sample code (Use Auth file)
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."},"requestId":"99436c5d-f1c8-4728-8ce7-a52e6d78aa83","date":"2019-09-03T05:48:51"}}

Call stack:
at Microsoft.Azure.Management.Graph.RBAC.Fluent.ApplicationsOperations.d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable1.ConfiguredTaskAwaiter.GetResult() at Microsoft.Azure.Management.Graph.RBAC.Fluent.ApplicationsOperationsExtensions.<CreateAsync>d__0.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult()
at Microsoft.Azure.Management.Graph.RBAC.Fluent.ActiveDirectoryApplicationImpl.d__25.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at Microsoft.Azure.Management.ResourceManager.Fluent.Core.ResourceActions.Creatable4.<Microsoft-Azure-Management-ResourceManager-Fluent-Core-ResourceActions-IResourceCreator-CreateResourceAsync>d__15.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at Microsoft.Azure.Management.ResourceManager.Fluent.Core.DAG.CreatorTaskItem1.d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.GetResult()
at Microsoft.Azure.Management.ResourceManager.Fluent.Core.DAG.TaskGroupBase1.<ExecuteNodeTaskAsync>d__14.MoveNext() --- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult()
at Microsoft.Azure.Management.ResourceManager.Fluent.Core.Extensions.Synchronize[TResult](Func1 function) at Microsoft.Azure.Management.ResourceManager.Fluent.Core.ResourceActions.Creatable4.Create()
at ManageServicePrincipal.Program.CreateActiveDirectoryApplication(IAuthenticated authenticated)
at ManageServicePrincipal.Program.RunSample(IAuthenticated authenticated)

I am trying to execute the solution. Getting below error:

Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: AADSTS1002016: You are using TLS version 1.0, 1.1 and/or 3DES cipher which is deprecated to improve the security posture of Azure AD.

How do we mitigate this issue? Is there any other implementation that addresses this?

https://github.com/Azure/azure-sdk-for-net/blob/Fluent/AUTH.md

Hey,

When trying to update SPI with new key I get an exception telling me that its forbidden, but the SPI I am using is owner of the APP I am trying to update. I have tried using PS to update key with success (see code below). But when I try to update (under same AAD context using dotnet i get an exception :-(. Also I can update the APP key if I use the SPI that originally created the APP, but not with another SPI that has owner rights on exact same app.

.NET
var aadServicePrincipal = await servicePrincipal .Update() .DefinePasswordCredential("secret") .WithPasswordValue(password) .WithDuration(TimeSpan.FromHours(1)) .Attach() .ApplyAsync(); return aadServicePrincipal;

PS code
`$TenantId = "xxxxxx"
$ApplicationId = "xxxxx"
$ServicePrincipalKey = "xxx"
$ApplicationObjectIdNeedsKey = "xxxx"

Add-Type -AssemblyName System.Web
$clientKeyURLEncoded = [System.Web.HttpUtility]::UrlEncode($ServicePrincipalKey)
$tokenrequest = "grant_type=client_credentials&client_id=$ApplicationId&client_secret=$clientKeyURLEncoded&resource=https://graph.windows.net"
$authResult = Invoke-RestMethod -Method Post -Uri "https://login.microsoftonline.com/$TenantId/oauth2/token" -Body $tokenrequest

Write-Information "Login to AzureAD with same SP: $ApplicationId"
Connect-AzureAD -AadAccessToken $authResult.access_token -AccountId $ApplicationId -TenantId $TenantId

$startDate = Get-Date
$endDate = $startDate.AddYears($script:yearsOfExpiration)
$aadAppKeyPwd = New-AzureADApplicationPasswordCredential -ObjectId $ApplicationObjectIdNeedsKey -CustomKeyIdentifier "xallm3.test" -StartDate $startDate -EndDate $endDate

$aadAppKeyPwd`