how to fix Remove-MgApplicationKey : Insufficient privileges to complete the operation ?

Question

how to fix Remove-MgApplicationKey : Insufficient privileges to complete the operation ?

Hartadi, Haryanto 0

Hi all,

I'm trying to make some graph powershell script to delete expired keys

I gave require scope for connect-graph (my id is global admin) , but still showing Insufficient privileges to complete the operation. Please help

this is the command on the scripts

$apiPermissionScopes = @("Auditlog.read.all", "Application.ReadWrite.All", "group.readwrite.all","Directory.ReadWrite.All", "IdentityRiskyUser.ReadWrite.All","DelegatedPermissionGrant.ReadWrite.All","User.readwrite.all","AppRoleAssignment.ReadWrite.All")

Connect-MgGraph-Scopes $apiPermissionScopes -ErrorAction Stop -NoWelcome

Remove-MgApplicationKey -ApplicationID $IDs.Id -KeyId $ExpiredKey

this is the result of error

Remove-MgApplicationKey : Insufficient privileges to complete the operation.

Status: 403 (Forbidden)

ErrorCode: Authorization_RequestDenied

Date: 2024-03-07T20:00:18

Headers:

Transfer-Encoding : chunked

Vary : Accept-Encoding

Strict-Transport-Security : max-age=31536000

request-id : 39648e85-3958-47b0-8659-39ea5079b345

client-request-id : 03e6186f-c5df-4678-a8b1-bc46a0280dc7

x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Canada

Central","Slice":"E","Ring":"5","ScaleUnit":"002","RoleInstance":"YT2PEPF00000167"}}

x-ms-resource-unit : 1

Connection : keep-alive

Cache-Control : proxy-revalidate, no-cache

Date : Thu, 07 Mar 2024 20:00:17 GMT

1 answer

Your answer

Answer 1

CarlZhao-MSFT 46,376

Hi @Hartadi, Haryanto

First determine whether you are trying to delete the app's password or the certificate key credentials associated with the app.

If you are trying to remove expired key credentials from your app, you will also need to pass the proof attribute in the request body.

Import-Module Microsoft.Graph.Applications

$params = @{
	keyId = "f0b0b335-1d71-4883-8f98-567911bfdca6"
	proof = "eyJ0eXAiOiJ..."
}

Remove-MgApplicationKey -ApplicationId $applicationId -BodyParameter $params

If you are trying to remove an app's expired client secret, then you should call the /removePassword endpoint.

Import-Module Microsoft.Graph.Applications

$params = @{
	keyId = "f0b0b335-1d71-4883-8f98-567911bfdca6"
}

Remove-MgApplicationPassword -ApplicationId $appObjectId -BodyParameter $params

Hope this helps.

If the reply is helpful, please click Accept Answer and kindly upvote it. If you have additional questions about this answer, please click Comment.

Hartadi, Haryanto 0 Reputation points

2024-03-08T16:38:49.0466667+00:00

CarlZhao-MSFT thank you for response.
I was looking to remove all expired client secret on the apps by using graph PowerShell.

I have my id with tons of scope, and still not able to delete the key with Remove-MgApplicationKey -ApplicationID <AppID> -KeyId <expired key id>

I tried to use -BodyParameter, however I can't find any info about proof value. any advise?
Hartadi, Haryanto 0 Reputation points

2024-03-08T16:50:49.9733333+00:00

stupid question. what the different between password and key ?
CarlZhao-MSFT 46,376 Reputation points

2024-03-11T08:36:19.9+00:00

Hi @Hartadi, Haryanto

ApplicationPassword, also known as client secret, is a string value used for simple authentication flows, such as the OAuth client credentials flow. It allows an application to authenticate on its own behalf without user interaction.

ApplicationKey refers to certificates or keys associated with an application registration. These keys are used to prove the identity of the application and are typically used in more complex scenarios, such as certificate-based authentication.
Hartadi, Haryanto 0 Reputation points

2024-03-11T13:46:36.5566667+00:00
Hi @CarlZhao-MSFT
thank you for explanation. I made try for both advise, however the issue still remain.

Although I gave these permission
$apiPermissionScopes = @("Auditlog.read.all", "Application.ReadWrite.All", "group.readwrite.all","Directory.ReadWrite.All", "IdentityRiskyUser.ReadWrite.All","DelegatedPermissionGrant.ReadWrite.All","User.readwrite.all","AppRoleAssignment.ReadWrite.All","GroupMember.Read.All","RoleManagement.Read.Directory","Policy.ReadWrite.ApplicationConfiguration","email")

Connect-MgGraph -tenant $Tenant -Scopes $apiPermissionScopes -ErrorAction Stop -NoWelcome

this is the error.

Remove-MgApplicationKey : Insufficient privileges to complete the operation.

Status: 403 (Forbidden)

ErrorCode: Authorization_RequestDenied

Date: 2024-03-11T13:45:00

Headers:

Transfer-Encoding : chunked

Vary : Accept-Encoding

Strict-Transport-Security : max-age=31536000

request-id : 4e126374-ee77-47ba-ac5f-28289f0df5cf

client-request-id : d18a3f3b-21f6-4c4f-ac46-08479e6c5c10

x-ms-ags-diagnostic : {"ServerInfo":{"DataCenter":"Canada

Central","Slice":"E","Ring":"5","ScaleUnit":"001","RoleInstance":"YT1PEPF00002077"}}

x-ms-resource-unit : 1

Connection : keep-alive

Cache-Control : proxy-revalidate, no-cache

Date : Mon, 11 Mar 2024 13:44:59 GMT

At line:147 char:5

Remove-MgApplicationKey -ApplicationID $IDs.Id -KeyId $ExpiredKey

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

CategoryInfo : InvalidOperation: ({ ApplicationId...ionJsonSchema }:<>f__AnonymousType0`3) [Remove-MgAp

plicationKey_RemoveExpanded], Exception

FullyQualifiedErrorId : Authorization_RequestDenied,Microsoft.Graph.PowerShell.Cmdlets.RemoveMgApplicationKey_Re

moveExpanded
CarlZhao-MSFT 46,376 Reputation points

2024-03-12T07:00:15.4633333+00:00
Hi @Hartadi, Haryanto

Like I said in my answer, you should use Remove-MgApplicationPassword instead of Remove-MgApplicationKey to remove expired client secrets.

Import-Module Microsoft.Graph.Applications $params = @{ keyId = "f0b0b335-1d71-4883-8f98-567911bfdca6" } Remove-MgApplicationPassword -ApplicationId $appObjectId -BodyParameter $params
CarlZhao-MSFT 46,376 Reputation points

2024-03-18T07:37:30.96+00:00

Hi @Hartadi, Haryanto

Is there anything else I can help you with regarding this issue? If you still need further help, please feel free to let me know. If your question has been solved, then you can click "Accept Answer", which may help members with similar questions find the answer easily. Thank you very much!

Share via

how to fix Remove-MgApplicationKey : Insufficient privileges to complete the operation ?

1 answer

Your answer