New-AzADApplication returns Az.MSGraph.internal\New-AzADApplication : Insufficient privileges to complete the operation

[premfix]

Description

Hello.
I want to create a SAML app using application template ID for custom apps - 8adf8e6e-67b2-4cf2-a259-e3dc5476c621, I use
New-AzADApplication -DisplayName test-ag-asdsa2 -ApplicationTemplateId 8adf8e6e-67b2-4cf2-a259-e3dc5476c621 but receive this error:

Az.MSGraph.internal\New-AzADApplication : Insufficient privileges to complete the operation.
At C:\Program Files\WindowsPowerShell\Modules\Az.Resources\5.2.0\MSGraph.Autorest\custom\New-AzADApplication.ps1:702 char:5
+     $app = Az.MSGraph.internal\New-AzADApplication @PSBoundParameters
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: ({ body = {
  "...reADMyOrg"
} }:<>f__AnonymousType6`1) [New-AzADApplication_CreateExpanded], Exception
    + FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Cmdlets.NewAzADApplication_CreateExpanded

New-AzADApplication work well if I don't use -ApplicationTemplateId parameter. So I'm not sure what privileges are required and where should I specify them, because I logged in using my uesr account, not SP.

Issue script & Debug output

New-AzADApplication -DisplayName test-ag-asdsa2 -ApplicationTemplateId 8adf8e6e-67b2-4cf2-a259-e3dc5476c621 -Debug
DEBUG: [CmdletBeginProcessing]: Starting command

Confirm
Continue with this operation?
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): A
DEBUG: CmdletBeginProcessing:
DEBUG: CmdletProcessRecordStart:

Confirm
Are you sure you want to perform this action?
Performing the operation "New-AzADApplication_CreateExpanded" on target "Call remote 'ApplicationsApplicationCreateApplication' operation".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): A
DEBUG: [CmdletProcessRecordAsyncStart]: Created new QosEvent for command 'New-AzADApplication_CreateExpanded'
DEBUG: CmdletProcessRecordAsyncStart:
DEBUG: CmdletGetPipeline:
DEBUG: CmdletBeforeAPICall:
DEBUG: URLCreated: /applications
DEBUG: RequestCreated: /v1.0/applications
DEBUG: HeaderParametersAdded:
DEBUG: BodyContentSet:
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
POST

Absolute Uri:
https://graph.microsoft.com/v1.0/applications

Headers:
x-ms-unique-id                : 86
x-ms-client-request-id        : 1c301888-b279-4349-9028-f43fdbb36186
CommandName                   : Az.MSGraph.internal\New-AzADApplication
FullCommandName               : New-AzADApplication_CreateExpanded
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v0.0.0,PSVersion/v5.1.19041.1320,Az.MSGraph/5.2.0

Body:
{
  "displayName": "test-ag-asdsa2",
  "applicationTemplateId": "8adf8e6e-67b2-4cf2-a259-e3dc5476c621",
  "signInAudience": "AzureADMyOrg"
}

DEBUG: BeforeCall:
DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Forbidden

Headers:
Transfer-Encoding             : chunked
Strict-Transport-Security     : max-age=31536000
request-id                    : 6e136ea7-8d00-464d-9c29-45bf6998f1c8
client-request-id             : 6e136ea7-8d00-464d-9c29-45bf6998f1c8
x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"West Europe","Slice":"E","Ring":"5","ScaleUnit":"004","RoleInstance":"AM2PEPF00005517"}}
x-ms-resource-unit            : 1
Cache-Control                 : no-cache
Date                          : Fri, 04 Feb 2022 13:06:13 GMT

Body:
{
  "error": {
    "code": "Authorization_RequestDenied",
    "message": "Insufficient privileges to complete the operation.",
    "innerError": {
      "date": "2022-02-04T13:06:13",
      "request-id": "6e136ea7-8d00-464d-9c29-45bf6998f1c8",
      "client-request-id": "6e136ea7-8d00-464d-9c29-45bf6998f1c8"
    }
  }
}

DEBUG: ResponseCreated:
DEBUG: BeforeResponseDispatch:

Confirm
Insufficient privileges to complete the operation.
[Y] Yes  [A] Yes to All  [H] Halt Command  [S] Suspend  [?] Help (default is "Y"): A
Az.MSGraph.internal\New-AzADApplication : Insufficient privileges to complete the operation.
At C:\Program Files\WindowsPowerShell\Modules\Az.Resources\5.2.0\MSGraph.Autorest\custom\New-AzADApplication.ps1:702 char:5
+     $app = Az.MSGraph.internal\New-AzADApplication @PSBoundParameters
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: ({ body = {
  "...reADMyOrg"
} }:<>f__AnonymousType6`1) [New-AzADApplication_CreateExpanded], Exception
    + FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Cmdlets.NewAzADApplication_CreateExpanded
DEBUG: [Finally]: Getting exception 'Microsoft.Azure.Commands.Common.Exceptions.AzPSCloudException: InternalException' from response
DEBUG: Finally:
DEBUG: CmdletAfterAPICall:
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
DEBUG: AzureQoSEvent: Module: Az.MSGraph:5.2.0; CommandName: New-AzADApplication_CreateExpanded; PSVersion: 5.1.19041.1320; IsSuccess: False; Duration: 00:00:00;
Exception: InternalException;
DEBUG: Finish sending metric.
DEBUG: CmdletEndProcessing:

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.19041.1320
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.1320
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

ModuleType Version   Name          
---------- -------   ----          
    Script 2.7.1     Az.Accounts   
    Script 1.7.3     Az.Automation 
    Script 5.2.0     Az.Resources  
    Binary 2.0.2.138 AzureADPreview

Error output

No response

[dingmeng-xue]

Thanks for contacting us. Could you share where app template 8adf8e6e-67b2-4cf2-a259-e3dc5476c621 is stored? Can current account access that template?

[premfix]

I suppose this and other templates are stored here
https://graph.microsoft.com/v1.0/applicationTemplates

And yes, my account has acess to templates, because I can instantiate the app using Graph explorer (where I consented to delegated type permission Application.ReadWrite.All)
https://graph.microsoft.com/v1.0/applicationTemplates/8adf8e6e-67b2-4cf2-a259-e3dc5476c621/instantiate

According to https://docs.microsoft.com/en-us/graph/api/applicationtemplate-instantiate?view=graph-rest-1.0&tabs=http to call instantiate API I need Application.ReadWrite.All permission, and I already have it because I can create an app and a service principal using New-AzADApplication (without -ApplicationTemplateId) or New-AzADServicePrincipal.

[premfix]

Hello. Any updates?

[premfix]

Hello. Any news?

[dingmeng-xue]

Sorry for the late response. We didn't figure out how to create application template via Portal because Azure PowerShell doesn't support. Could you share us the approach of creating it?

[premfix]

You don't need to create template, they are already created, you can view them by running GET query to https://graph.microsoft.com/v1.0/applicationTemplates or view in Azure portal in Azure AD Gallery.

When you create SAML app using Azure portal (https://portal.azure.com/#blade/Microsoft_AAD_IAM/AppGalleryBladeV2), there is an Azure AD Gallery from which you can choose an app from prebuilt templates. If you want to create your own app you click on "Create your own application" and in this case, as I understand, template with id 8adf8e6e-67b2-4cf2-a259-e3dc5476c621 will be used.

I want to create SAML apps using any exisitng template with your cmdlet.

[premfix]

Hello @dingmeng-xue. Any updates?