Search code examples
azureazure-active-directory

Azure set AAD registered application policies

I have registered an app in Azure AADB2C, and I need to specify that the app requires 2FA enabled before AAD will issue a token, and that the lifetime of the token should be 45 minutes.

Can anyone help? I'm clueless!

This is what I have tried so far

az login --allow-no-subscriptions --tenant 46e0e59c-**** // GUID of AAD Tenant
Connect-MgGraph -TenantId 46e0e59c-**** // Same GUID as above

# Create a token lifetime policy
$params = @{
    Definition = @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"PT45M"}}') 
    DisplayName = "WebPolicyScenario"
    IsOrganizationDefault = $false
}
$tokenLifetimePolicyId=(New-MgPolicyTokenLifetimePolicy -BodyParameter $params).Id

But I get the following

New-MgPolicyTokenLifetimePolicy : Insufficient privileges to complete the operation.
At C:\data\mine\AirSoftwareLtd\ClientData\CommissioningAlliance\CASA\Infrastructure\dev.ps1:9 char:1
+ $tokenLifetimePolicyId=(New-MgPolicyTokenLifetimePolicy -BodyParamete ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: ({ body = Micros...ifetimePolicy }:<>f__AnonymousType0`1) [New-MgPolic
   yTokenLifetimePolicy_Create1], RestException`1
    + FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Graph.PowerShell.Cmdlets.NewMgPolicyTokenLifetimeP
   olicy_Create1

UPDATE With help from @rukmini I now have the following...

Connect-MgGraph -TenantId 46e0e59c-4d82-4db4-bf08-4a152993cdde -Scopes "Policy.ReadWrite.AuthenticationMethod, Policy.ReadWrite.ApplicationConfiguration, Policy.ReadWrite.TrustFramework"

$params = @{  
Definition = @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:45:00"}}')  
DisplayName = "WebPolicyScenario"  
IsOrganizationDefault = $false  
}  
$tokenLifetimePolicyId=(New-MgPolicyTokenLifetimePolicy -BodyParameter $params).Id

When I try to append the following script to assign the policy to the app, I get the same "insufficient privileges" error


$params = @{
    "@odata.id" = "https://graph.microsoft.com/v1.0/policies/tokenLifetimePolicies/$tokenLifetimePolicyId"
}

$applicationObjectId="6e5d07b5-0e86-473a-97e5-6684d0874b99"

New-MgApplicationTokenLifetimePolicyByRef -ApplicationId $applicationObjectId -BodyParameter $params
Solution

  • I tried to reproduce the same in my environment and got the same error like below:

    enter image description here

    To error usually occurs if the user is not having required permissions to perform the operation.

    To resolve the error, make sure to assign Global Administrator role and connect to MgGraph with Policy.ReadWrite.TrustFramework scope.

    enter image description here

    To create the Token lifetime Policy, I modified the script like below:

    Connect-MgGraph -TenantId TenantID -Scopes "Policy.ReadWrite.TrustFramework"

$params = @{  
Definition = @('{"TokenLifetimePolicy":{"Version":1,"AccessTokenLifetime":"00:45:00"}}')  
DisplayName = "WebPolicyScenario"  
IsOrganizationDefault = $false  
}  
$tokenLifetimePolicyId=(New-MgPolicyTokenLifetimePolicy -BodyParameter $params).Id

    enter image description here

    After assigning Token Lifetime Policy, when I generated access token the lifetime is 45 mins like below:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:client_credentials

    enter image description here

    If still the issue persists, try connecting to MgGraph with Policy.ReadWrite.AuthenticationMethod or Policy.ReadWrite.AuthenticationMethod or Policy.ReadWrite.ApplicationConfiguration permissions.