Programmatically grant admin consent to a service principal

May 29, 2023 JosL Leave a comment

Most articles and e.g. az module commands allow you to do an admin consent on an application object.

However, Service Principals have the same option in the Azure Portal:

In my scenario I have control over both the hosting tenant of this multi-tenant app registration, so I could use the requiredResourceAccess property to read all Oauth2permissiongrants and approleAssignments from the source app registration to re-apply it to the service principal in the consuming tenant.

The result is similar to consenting through the admin portal but does not require user interaction / is fully headless, ideal for when you’re adding scopes/roles to an application and don’t want to have to do a manual reconsent in all managed tenants.

Here’s the code to to programmatic admin consent:

https://gitlab.com/Lieben/assortedFunctions/-/blob/master/grant-adminConsentForServicePrincipal.ps1

It requires DelegatedPermissionGrant.ReadWrite.All and AppRoleAssignment.ReadWrite.All graph permissions for the calling principal (user or application).

If you don’t have access to the source tenant (e.g. multi tenant), you can also simply create a hashtable with the required permissions (manual definition or export from the application manifest).

Uncategorized

AADSTS135010: UserPrincipal doesn’t have the key ID configured

May 26, 2023 JosL Leave a comment

If you run into this one when using Delegated or Application authentication in Azure Active Directory, recreate your refresh token and you should be fine 🙂

Office 365, OneDrive for Business, OneDriveMapper, Powershell, Sharepoint Online

OnedriveMapper 5.14

May 8, 2023 JosL Leave a comment

Just release 5.14 with the following two new features:

support directly mapping to subfolders on sites instead of the root
optionally create a subfolder per user in specific mappings if it doesn’t exist and map that directly

As always, links/doc/info here: https://www.lieben.nu/liebensraum/onedrivemapper/

Automation, Azure, Powershell, Security

Easily get access token for Azure Management API

May 4, 2023 JosL Leave a comment

Wrote this little snippet that assumes a logged in session (Connect-AzAccount) and easily/quickly produces an auth header.

function get-azRMAccessHeader(){
    $profile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
    $context = Get-AzContext
    $client = New-Object Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient($profile)

    $header = @{
        "Authorization" = "Bearer $($client.AcquireAccessToken((Get-AzContext).Tenant.TenantId).AccessToken)"
    }
    return $header
}

Automation, AzureAD, EMS, Intune, Security

LeanLAPS support

April 22, 2023 JosL Leave a comment

As Microsoft has just released LAPS for Azure AD and hybrid joined devices, the usecase for LeanLAPS is more or less gone. This means I will no longer actively develop and/or support LeanLAPS from now on.

Microsoft’s solution also doesn’t rely on proactive remediations, thus lowering the high bar to entry that P2 licensing caused.

Liebensraum

Programmatically grant admin consent to a service principal

AADSTS135010: UserPrincipal doesn’t have the key ID configured

OnedriveMapper 5.14

Easily get access token for Azure Management API

LeanLAPS support

Microsoft 365, Azure, Automation & Code