How to create a service principal using the MSOL CMDLETS for use with the WAAD Graph API

This blog posts assumes that you are familiar with the Microsoft Online ( MSOL ) PowerShell cmdlets and how to use them for making general connections to you MSOL tenant.  If you have not used these cmdlets or need information on how to load them onto a system and then into a PowerShell instance, visit the "Manage Windows Azure AD using Windows PowerShell” TechNet link.

Be sure to install the Microsoft Online Services Sign-In Assistant for IT Professionals RTW,  if you don’t install it, the current version of the MSOL cmdlets will not install.

As the Graph API becomes more widely used, we have seen customer who would like to create service principals for use with the Graph API using the MSOL cmdlets with the default parameters, when you attempt to use the Service Principal to authenticate to the Azure Access Control Service, you see http traffic similar to the following:

Request:
POST /mytenant.onmicrosoft.com/oauth2/token?api-version=1.0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: login.windows.net
Expect: 100-continue
Content-Length: 181
grant_type=client_credentials&resource=https%3a%2f%2fgraph.windows.net&client_id=6d255101-1feb-4729-af36-d24929f5b238&cllient_secret=FG7T621xEod%2FdUm85xTOph8vlLfvRzzqndoiIdisVQ0%3D

Response:
HTTP/1.1 400 Bad Request
Cache-Control: private
Content-Type: application/json; charset=utf-8
Server: Microsoft-IIS/8.0
x-ms-request-id: ef6fa2b1-3465-41f6-8194-98fa6a628656
request-id: ef6fa2b1-3465-41f6-8194-98fa6a628656
X-Content-Type-Options: nosniff
X-Powered-By: ARR/2.5
X-Powered-By: ASP.NET
Date: Thu, 21 Nov 2013 18:30:48 GMT
Content-Length: 420
{"error":"invalid_request","error_description":"ACS90011: The required field \u0027client_secret\u0027 is missing.\r\nTrace ID: ef6fa2b1-3465-41f6-8194-98fa6a628656\r\nCorrelation ID: 2a4b57c9-283a-42f5-94bd-766b26e5df35\r\nTimestamp: 2013-11-21 18:30:48Z","error_codes":[90011],"timestamp":"2013-11-21 18:30:48Z","trace_id":"ef6fa2b1-3465-41f6-8194-98fa6a628656","correlation_id":"2a4b57c9-283a-42f5-94bd-766b26e5df35"}

In my tests, I have tried many things to use the secret or key provided by the default parameters on the New-MSOLServicePrincipal cmdlet and the results were equally unsuccessful. I tried several different types for the secret using the –Type parameter, when I used a –Type Password and provided a strong password as the secret, then used the password as the Client_Secret property in the ACS request, I was able to retrieve an authorization token I could use in other Graph REST request as long as I remembered to add the service principal to the appropriate roles in my WAAD and 0365 tenants.

Use the following sequence of cmdlets to create a service principal, set the client_secret value to a password, then add the service principal to the appropriate roles in the WAAD and the 0365 tenant, in my example below, I added the service principal to the “Directory Writers” role ( giving the SP both read/write to the WAAD instance ) and to the “Helpdesk Administrators” role ( giving the SP limited admin rights in the 0365 tenant).  If you want to the service principal to be able to delete objects from the 0365 tenant or from the WAAD instance, add the service principal to the “User Account Administrator” role also.

   

 PS C:\WINDOWS\system32> new-msolserviceprincipal -DisplayName "Test Password" -Type Password -Value 'Password1'

DisplayName           : Test Password

ServicePrincipalNames : {e452f0fe-6f1d-4422-8e1e-4e76993cac55}

ObjectId              : a494c267-e824-451d-8d4b-20602ab50438

AppPrincipalId        : e452f0fe-6f1d-4422-8e1e-4e76993cac55

TrustedForDelegation  : False

AccountEnabled        : True

Addresses             : {}

KeyType               : Password

KeyId                 : 2ddd8da2-966f-434c-971c-385af12a44bc

StartDate             : 11/21/2013 8:07:30 PM

EndDate               : 11/21/2014 8:07:30 PM

Usage                 : Verify

PS C:\WINDOWS\system32> add-msolrolemember -RoleName "Directory Writers" -RoleMemberType ServicePrincipal -Rolememberobjectid a494c267-e824-451d-8d4b-20602ab50438

PS C:\WINDOWS\system32> add-msolrolemember -RoleName "Helpdesk Administrator" -RoleMemberType ServicePrincipal -Rolememerobjectid a494c267-e824-451d-8d4b-20602ab50438

PS C:\WINDOWS\system32> add-msolrolemember -RoleName "User Account Administrator" -RoleMemberType ServicePrincipal -RolememberobjectID a494c267-e824-451d-8d4b-20602ab50438

Making note of the ApprincipalID ( 487d6e12-bf47-4d5a-a765-4962a8fff422 in the example above) and the Password I set using the MSOL cmdlet

( Pass@Word!) Then, using one my previous blog posts : Using Fiddler to acquire a JWT ( JSON Web Token ) for use with the Graph API

I can test my service principal and its secret.

Once I have the authorization token, I can use it in other Graph Requests.  The key is to specify a –Type Password and provide a strong password in the –Value “StrongPassword!1” parameters of the

New-MSOLServicePrincipal cmdlet call.