Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Add-PnPAzureADServicePrincipalAppRole returns "Service principal not found" #4501

Open
1 task done
erobillard opened this issue Nov 1, 2024 · 0 comments
Open
1 task done

[BUG] Add-PnPAzureADServicePrincipalAppRole returns "Service principal not found" #4501

erobillard opened this issue Nov 1, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@erobillard
Copy link

erobillard commented Nov 1, 2024
edited
Loading

Add-PnPAzureADServicePrincipalAppRole always returns "Service principal not found"

Expected behavior

BEFORE Microsoft's restriction on interactive logins, a Global Admin was able to use Connect-PnPOnline in an interactive mode to connect to a tenant, and grant permissions for an Azure Automation Account to run PnP.PowerShell commands with the Add-PnPAzureADServicePrincipalAppRole cmdlet.

NOW, the following steps should succeed to grant API permissions to an Azure Automation Account:
1/ Created an App Registration for running PowerShell with the certificate option with:
Register-PnPAzureADApp -ApplicationName "Xyz.PnP.PowerShell" -Tenant [mytenant].onmicrosoft.com -CertificatePath "c:\certs\Xyz.PnP.PowerShell.pfx" -Interactive

The [PowerShell App ID] returned by the above is used in subsequent connections.

2/ In AAD/Entra, assign the above App Registration the following API permissions, and Grant admin consent for the org:
- AppRoleAssignment.ReadWrite.All
- Directory.Read.All
- Sites.FullControl.All
- Application.ReadWrite.All
(The first two are the required permissions listed on: https://pnp.github.io/powershell/cmdlets/Add-PnPAzureADServicePrincipalAppRole.html
The Sites.FullControl.All permission is required to execute PnP.PowerShell cmdlets
The Application.ReadWrite.All was added to ensure all apps in the tenant are visible to the process.
).

3/ Connect-PnPOnline using the -ClientId and -CertificatePath parameters from my App Registration:
Connect-PnPOnline [mytenant].sharepoint.com -ClientId [PowerShell App ID] -Tenant [mytenant].onmicrosoft.com -CertificatePath "c:\certs\Xyz.PnP.PowerShell.pfx"

ALSO TRIED (per Todd's article https://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=904)
Connect-PnPOnline [mytenant].sharepoint.com -ClientId [PowerShell App ID] -Tenant [mytenant].onmicrosoft.com -Interactive

4/ The following incantation should now succeed:
Add-PnPEntraIDServicePrincipalAppRole -Principal "[Azure Automation Account ID]" -AppRole "Group.Read.All" -BuiltInType MicrosoftGraph

Actual behavior

Step 4 fails with error: "Service principal not found"

Note that Get-PnPEntraIDServicePrincipal DOES list the Azure Automation Account including the ID being used in step 4. However the Add cmdlet continues to fail with the error above.

-verbose output:
VERBOSE: Making GET call to https://graph.microsoft.com/v1.0/servicePrincipals?$filter=id eq '[Azure Automation Account ID]'
VERBOSE: Evaluating application permissions in access token for audience Microsoft Graph
VERBOSE: Access token contains the following 4 application permission scopes for resource Microsoft Graph: Application.ReadWrite.All, Directory.Read.All, User.Read.All, AppRoleAssignment.ReadWrite.All
VERBOSE: Making GET call to https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appid eq '[Azure Automation Account ID]'
VERBOSE: Evaluating application permissions in access token for audience Microsoft Graph
VERBOSE: Access token contains the following 4 application permission scopes for resource Microsoft Graph: Application.ReadWrite.All, Directory.Read.All, User.Read.All, AppRoleAssignment.ReadWrite.All
Add-PnPAzureADServicePrincipalAppRole: Service principal not found

Similar output when the Azure Automation Account display name is used instead:
VERBOSE: Making GET call to https://graph.microsoft.com/v1.0/servicePrincipals?$filter=displayName eq '[AutomationAccountName]'
VERBOSE: Evaluating application permissions in access token for audience Microsoft Graph
VERBOSE: Access token contains the following 4 application permission scopes for resource Microsoft Graph: Application.ReadWrite.All, Directory.Read.All, User.Read.All, AppRoleAssignment.ReadWrite.All
Add-PnPAzureADServicePrincipalAppRole: Service principal not found

Steps to reproduce behavior

The following articles describe the steps, though Denis's article is slightly more specific:
https://pnp.github.io/powershell/articles/azureautomationrunbook.html
https://spdenis.com/run-pnp-powershell-from-azure-automation/

The difference now is that it's also necessary to create an App Registration and cert in order to execute PnP.PowerShell cmdlets:
https://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=904

What is the version of the Cmdlet module you are running?

2.99.18 - nightly build is required to register PowerShell in the Application registry, the last official release contained a bug that prevented the Register-PnPAzureADApp step from working.

Which operating system/environment are you running PnP PowerShell on?

  • Windows
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@erobillard