Forum Discussion

terruahmad's avatar
terruahmad
Icon for Microsoft rankMicrosoft
Dec 03, 2024

Update App Registration Client Secret Using Microsoft Graph REST API v1.0

Hello,

I have a customer who wants to set the App registration Client Secret to 1 year.  Here are the customer's requirements:

 

  1. For existing application registrations under ‘Certificates & Secrets’ pane, any new secrets added by owners should have the duration limited to one year. If the owner tries to set the duration greater than one year and clicks ‘Add’ button, the action should not be allowed with proper error displayed.
  2. The same behavior should also be applicable to new application registration specific secrets.
  3. It should not impact any existing secret that is present (greater or less than one year) for current application registrations.
  4. We need a way to enable and disable the global policy in case we want to disable it if something doesn’t work as expected.
  5. We don’t want to impact anything else wrt application registrations or anything in service principles.

 

Based on the article you shared; Microsoft Entra application management policy API overview - Microsoft Graph v1.0 | Microsoft Learn

Below is the script we are trying to use to add the global policy and set as default policy with isEnabled = true. As we cannot test in a different tenant, can you please confirm the snippet below will work for the above requirements? 

 

MgPolicyAppManagementPolicy | select *

   $policy = @{

       "displayName" = "Enforce Max Lifetime for Secrets"

       "description" = "Policy to enforce a maximum lifetime of 1 year for any new secrets."

       "applicationRestrictions" = @{

           "passwordCredentials" = @{

               "maxLifetime" = "P365D"  # ISO 8601 duration format for 1 year

           }

       }

   }

 

New-MgPolicyAppManagementPolicy -BodyParameter $policy

 

Update-MgPolicyDefaultAppManagementPolicy -id <ABOVE_POLICY_ID -IsEnabled $true

 

I tried to test it in my own tenant, but I ran to a permission issue.   Can someone please confirm if this snippet works against the customer's requirements?

Thanks.

  

api management
App Services
azure
graph
Identity
Security & Compliance

4 Replies

Sort By
  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Dec 04, 2024

    Try refine your policy like this:

     

    # Define the policy
$policy = @{
    "displayName" = "Enforce Max Lifetime for Secrets"
    "description" = "Policy to enforce a maximum lifetime of 1 year for any new secrets."
    "applicationRestrictions" = @{
        "passwordCredentials" = @{
            "maxLifetime" = "P365D"  # ISO 8601 duration format for 1 year
        }
    }
}

# Create the policy
New-MgPolicyAppManagementPolicy -BodyParameter $policy

# Enable the policy
Update-MgPolicyDefaultAppManagementPolicy -id <ABOVE_POLICY_ID> -IsEnabled $true

     

    • terruahmad's avatar
      terruahmad
      Icon for Microsoft rankMicrosoft
      Dec 04, 2024

      Hello Kidd_Ip,

      Thanks for your reply.  What is the best way to test this out?  I have an external tenant with Global Admin.  I added "Application Admin" to my user id.  However, I get the follow error:

       

      New-MgPolicyAppManagementPolicy_Create: Insufficient privileges to complete the operation.

      Status: 403 (Forbidden)
      ErrorCode: Authorization_RequestDenied
      Date: 2024-12-04T16:01:29

       

      In the documentation, it says to use the following permissions:

      Permission type Least privileged permissions Higher privileged permissions
      Delegated (work or school account) Policy.Read.ApplicationConfiguration Policy.ReadWrite.ApplicationConfiguration
      Delegated (personal Microsoft account) Not supported. Not supported.
      Application Policy.Read.ApplicationConfiguration Policy.ReadWrite.ApplicationConfiguration

       

      I used this command Connect-MgGraph -Scopes "Application.ReadWrite.All", "DelegatedPermissionGrant.ReadWrite.All".  But it did not help.  I am not sure if there is an Azure policy in place.  How should I set up the permission to test?

       

      Thanks.

       

      • balasubramanim's avatar
        balasubramanim
        Iron Contributor
        Dec 04, 2024

        terruahmad 

        Try the below steps

        1. Policy Creation - The script creates a policy with maxLifetime set to P365D (1 year in ISO 8601 format).
        2. Enable the Policy - It sets the new policy as the default for the tenant using Update-MgPolicyDefaultAppManagementPolicy.
        3. Impact - Applies only to new secrets. Existing secrets remain unaffected. Enabling/disabling the policy is straightforward via IsEnabled.

        Note:
        Permissions: You need Policy.ReadWrite.ApplicationConfiguration admin permission.
        Testing: Ensure the script is run with admin privileges. Permissions issues are common in unconfigured tenants.

        To fix the 403 Forbidden error and test your script
        Ensure Correct Permissions:
        Use the Policy.ReadWrite.ApplicationConfiguration permission. 
        Connect with - Connect-MgGraph -Scopes "Policy.ReadWrite.ApplicationConfiguration"

        Grant Admin Consent - A Global Admin
        Go to Azure AD > App Registrations.
        Add Policy.ReadWrite.ApplicationConfiguration under API Permissions.
        Click Grant admin consent.
        Verify Role and ensure your account has Global Admin or Privileged Role Admin, as Application Admin alone is insufficient.

        Retry the Script - Confirm permissions using "Get-MgContext"

        Check Azure Policies - If still blocked, check for Azure Policies restricting app registration changes.

        This should resolve the error and let you test successfully.

Resources