msgraph-sdk-powershell icon indicating copy to clipboard operation
msgraph-sdk-powershell copied to clipboard

Published 20 hours ago verified publisher icon microsoftgraph

New options for Update-MgServicePrincipal

Open Anaxadora opened this issue 1 year ago • 1 comments

Hello together!

First of all, thank you very much for your efforts!

Is your feature request related to a problem? Please describe. We want to add two options to a SAML authentication via Update-MgServicePrincipal. We enter the two values in the body, but unfortunately they are not set in the object.

"idpReplyUrl": "$private_vcloud_url/login/org/$customer_token/saml/SSO/alias/vcd", "idpIdentifier": "$($saml_identifier)",

image

Describe the solution you'd like It would be nice if we could use the Update-MgServicePrincipal to set the two entries directly via parameters or specify them in the body.

image

Describe alternatives you've considered We are currently using a different endpoint, which we can only address with user credentials. Unfortunately, app registration with certificate authentication is not possible.

Invoke-RestMethod -Method Post -Uri "https://main.iam.ad.ext.azure.com/api/ApplicationSso/$($ServicePrincipal.id)/FederatedSsoConfigV4/$($ServicePrincipal.appid)" -ContentType "application/json" -Body $body_set_federation -Headers $header_set_federation

Kind regards Marcel

Anaxadora avatar Feb 15 '24 08:02 Anaxadora

Hi @Anaxadora as per the API documentation here, the Update-MgServicePrincipal command is for updating property values in a service principal object. I think the cmdlet that you should be using is New-MgServicePrincipal. Please refer the API doc here.

timayabi2020 avatar Mar 01 '24 09:03 timayabi2020

Hello @timayabi2020, thanks for the feedback.

I use the Invoke-MgInstantiateApplicationTemplate command to create the SAML app and enter 8adf8e6e-67b2-4cf2-a259-e3dc5476c621 as ApplicationTemplateId so that it is created as a "non-gallery app". I then make the other configurations myself.

The problem is that the IdentifierUri is not set as the default, as is possible with the RedirectUris.

$MicrosoftGraphWebApplication = New-Object -TypeName "Microsoft.Graph.PowerShell.Models.MicrosoftGraphWebApplication" $MicrosoftGraphWebApplication.LogoutUrl = "$private_vcloud_url/login/org/$customer_token/saml/SingleLogout/alias/vcd" $MicrosoftGraphWebApplication.RedirectUris = @("$private_vcloud_url/login/org/$customer_token/saml/SSO/alias/vcd")

Update-MgApplication -ApplicationId $Application.Id -Web $MicrosoftGraphWebApplication

$MicrosoftGraphWebApplication.RedirectUriSettings = New-Object -TypeName "Microsoft.Graph.PowerShell.Models.MicrosoftGraphRedirectUriSettings" $MicrosoftGraphWebApplication.RedirectUriSettings = @{ Uri = "$private_vcloud_url/login/org/$customer_token/saml/SSO/alias/vcd"; Index = 0 }

Update-MgApplication -ApplicationId $Application.Id -Web $MicrosoftGraphWebApplication -DefaultRedirectUri "$private_vcloud_url/login/org/$customer_token/saml/SSO/alias/vcd" ` -IdentifierUris @($saml_identifier)

With the parameter -DefaultRedirectUri it is possible to set the RedirectUri as default. Unfortunately, there is no -DefaultIdentifierUri parameter. I then took a look at the REST API and realised that it is currently not possible to set the value with the Graph API. Currently it only seems to work with the "https://main.iam.ad.ext.azure.com/api/ApplicationSso/$($ServicePrincipal.id)/FederatedSsoConfigV4/$($ServicePrincipal.appid)" endpoint. This sets the idpIdentifier property in the background, which sets the IdentifierUri as the default.

I opened a request for this a few days ago in Microsoft's feedback portal. I think they have to build it into the Graph API first so that it can be built into the PowerShell SDK.

With this I close the request here.

Thanks anyway!

Anaxadora avatar Mar 04 '24 13:03 Anaxadora