Forum Discussion

terruahmad's avatar
terruahmad
Icon for Microsoft rankMicrosoft
Dec 03, 2024

Update App Registration Client Secret Using Microsoft Graph REST API v1.0

Hello, I have a customer who wants to set the App registration Client Secret to 1 year.  Here are the customer's requirements:   For existing application registrations under ‘Certificates & S...
api management
App Services
azure
graph
Identity
security & compliance
balasubramanim's avatar
balasubramanim
Iron Contributor
Dec 04, 2024

terruahmad 

Try the below steps

1. Policy Creation - The script creates a policy with maxLifetime set to P365D (1 year in ISO 8601 format).
2. Enable the Policy - It sets the new policy as the default for the tenant using Update-MgPolicyDefaultAppManagementPolicy.
3. Impact - Applies only to new secrets. Existing secrets remain unaffected. Enabling/disabling the policy is straightforward via IsEnabled.

Note:
Permissions: You need Policy.ReadWrite.ApplicationConfiguration admin permission.
Testing: Ensure the script is run with admin privileges. Permissions issues are common in unconfigured tenants.

To fix the 403 Forbidden error and test your script
Ensure Correct Permissions:
Use the Policy.ReadWrite.ApplicationConfiguration permission. 
Connect with - Connect-MgGraph -Scopes "Policy.ReadWrite.ApplicationConfiguration"

Grant Admin Consent - A Global Admin
Go to Azure AD > App Registrations.
Add Policy.ReadWrite.ApplicationConfiguration under API Permissions.
Click Grant admin consent.
Verify Role and ensure your account has Global Admin or Privileged Role Admin, as Application Admin alone is insufficient.

Retry the Script - Confirm permissions using "Get-MgContext"

Check Azure Policies - If still blocked, check for Azure Policies restricting app registration changes.

This should resolve the error and let you test successfully.

terruahmad's avatar
terruahmad
Icon for Microsoft rankMicrosoft
Dec 05, 2024

Hello lbalasubramanian

Thanks for your reply and the steps.  I am getting closer.  I checked my accounts roles and App Registration API permission.  I was able to run the script and generate policy Id.  But I am still getting a permission error when I run "Update-MgPolicyDefaultAppManagementPolicy".  I searched Azure Policies to see if any is restriciting App registration, but with no luck.  Do you know which Azure Policies to check?

-----------------------------------------------------------------

Get-MgContext

ClientId               : xx
TenantId               : xx
Scopes                 : {Application.ReadWrite.All, DelegatedPermissionGrant.ReadWrite.All, openid, Policy.ReadWrite.ApplicationConfiguration…}
AuthType               : Delegated
TokenCredentialType    : DeviceCode
CertificateThumbprint  : 
CertificateSubjectName : 
SendCertificateChain   : False
Account                : userid@MngEnvMCAP.onmicrosoft.com
AppName                : Microsoft Graph Command Line Tools
ContextScope           : Process
Certificate            : 
PSHostVersion          : 7.4.5
ManagedIdentityId      : 
ClientSecret           : 
Environment            : Global

-----------------------------------------------------------------

New-MgPolicyAppManagementPolicy -BodyParameter $policy

DeletedDateTime Description   DisplayName                      Id                                   IsEnabled
--------------- -----------           -----------                      --                                   ---------
                Policy to enforce a maximum lifetime of 1 year for any new secrets. Enforce Max Lifetime for Secrets ca530b49-1b2b-4685-b87e-xxxxxxxxxxxxx False

----------------------------------------------------------------------------------------

 

Update-MgPolicyDefaultAppManagementPolicy -id ca530b49-1b2b-4685-b87e-xxxxxxxxxxxxx -IsEnabled:$true


Update-MgPolicyDefaultAppManagementPolicy_UpdateExpanded: Insufficient privileges to complete the operation.

Status: 403 (Forbidden)
ErrorCode: Authorization_RequestDenied
Date: 2024-12-05T16:56:39

Resources