Forum Discussion

terruahmad's avatar
terruahmad
Icon for Microsoft rankMicrosoft
Dec 03, 2024

Update App Registration Client Secret Using Microsoft Graph REST API v1.0

Hello, I have a customer who wants to set the App registration Client Secret to 1 year.  Here are the customer's requirements:   For existing application registrations under ‘Certificates & S...
api management
App Services
azure
graph
Identity
Security & Compliance
terruahmad's avatar
terruahmad
Icon for Microsoft rankMicrosoft
Dec 04, 2024

Hello Kidd_Ip,

Thanks for your reply.  What is the best way to test this out?  I have an external tenant with Global Admin.  I added "Application Admin" to my user id.  However, I get the follow error:

 

New-MgPolicyAppManagementPolicy_Create: Insufficient privileges to complete the operation.

Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Date: 2024-12-04T16:01:29

 

In the documentation, it says to use the following permissions:

Permission type Least privileged permissions Higher privileged permissions
Delegated (work or school account) Policy.Read.ApplicationConfiguration Policy.ReadWrite.ApplicationConfiguration
Delegated (personal Microsoft account) Not supported. Not supported.
Application Policy.Read.ApplicationConfiguration Policy.ReadWrite.ApplicationConfiguration

 

I used this command Connect-MgGraph -Scopes "Application.ReadWrite.All", "DelegatedPermissionGrant.ReadWrite.All".  But it did not help.  I am not sure if there is an Azure policy in place.  How should I set up the permission to test?

 

Thanks.

 

balasubramanim's avatar
balasubramanim
Iron Contributor
Dec 04, 2024

terruahmad 

Try the below steps

1. Policy Creation - The script creates a policy with maxLifetime set to P365D (1 year in ISO 8601 format).
2. Enable the Policy - It sets the new policy as the default for the tenant using Update-MgPolicyDefaultAppManagementPolicy.
3. Impact - Applies only to new secrets. Existing secrets remain unaffected. Enabling/disabling the policy is straightforward via IsEnabled.

Note:
Permissions: You need Policy.ReadWrite.ApplicationConfiguration admin permission.
Testing: Ensure the script is run with admin privileges. Permissions issues are common in unconfigured tenants.

To fix the 403 Forbidden error and test your script
Ensure Correct Permissions:
Use the Policy.ReadWrite.ApplicationConfiguration permission. 
Connect with - Connect-MgGraph -Scopes "Policy.ReadWrite.ApplicationConfiguration"

Grant Admin Consent - A Global Admin
Go to Azure AD > App Registrations.
Add Policy.ReadWrite.ApplicationConfiguration under API Permissions.
Click Grant admin consent.
Verify Role and ensure your account has Global Admin or Privileged Role Admin, as Application Admin alone is insufficient.

Retry the Script - Confirm permissions using "Get-MgContext"

Check Azure Policies - If still blocked, check for Azure Policies restricting app registration changes.

This should resolve the error and let you test successfully.

  • terruahmad's avatar
    terruahmad
    Icon for Microsoft rankMicrosoft
    Dec 05, 2024

    Hello lbalasubramanian

    Thanks for your reply and the steps.  I am getting closer.  I checked my accounts roles and App Registration API permission.  I was able to run the script and generate policy Id.  But I am still getting a permission error when I run "Update-MgPolicyDefaultAppManagementPolicy".  I searched Azure Policies to see if any is restriciting App registration, but with no luck.  Do you know which Azure Policies to check?

    -----------------------------------------------------------------

    Get-MgContext

    ClientId               : xx
    TenantId               : xx
    Scopes                 : {Application.ReadWrite.All, DelegatedPermissionGrant.ReadWrite.All, openid, Policy.ReadWrite.ApplicationConfiguration…}
    AuthType               : Delegated
    TokenCredentialType    : DeviceCode
    CertificateThumbprint  : 
    CertificateSubjectName : 
    SendCertificateChain   : False
    Account                : userid@MngEnvMCAP.onmicrosoft.com
    AppName                : Microsoft Graph Command Line Tools
    ContextScope           : Process
    Certificate            : 
    PSHostVersion          : 7.4.5
    ManagedIdentityId      : 
    ClientSecret           : 
    Environment            : Global

    -----------------------------------------------------------------

    New-MgPolicyAppManagementPolicy -BodyParameter $policy

    DeletedDateTime Description   DisplayName                      Id                                   IsEnabled
    --------------- -----------           -----------                      --                                   ---------
                    Policy to enforce a maximum lifetime of 1 year for any new secrets. Enforce Max Lifetime for Secrets ca530b49-1b2b-4685-b87e-xxxxxxxxxxxxx False

    ----------------------------------------------------------------------------------------

     

    Update-MgPolicyDefaultAppManagementPolicy -id ca530b49-1b2b-4685-b87e-xxxxxxxxxxxxx -IsEnabled:$true


    Update-MgPolicyDefaultAppManagementPolicy_UpdateExpanded: Insufficient privileges to complete the operation.

    Status: 403 (Forbidden)
    ErrorCode: Authorization_RequestDenied
    Date: 2024-12-05T16:56:39

Resources