Azure AD Powershell : Grant consent failed with error: Application is requesting permissions that are either invalid or out of date

Question

I'm trying to create an Azure AD app with Application and Delegated permissions set for O365 API. The script works fine but when I try to grant consent from Azure portal. It shows below error :

Grant consent failed with error: Application '5a61ff93-7076-44a7-980f-d40def08ee9b' is requesting permissions that are either invalid or out of date. [wyvzL7hZM8VOZFL0Sv4kCF]

The permissions guids are correct. Actually the issue is setting the Application type permissions. The delegated/OAuth2 permissions can be granted consent without any error.

As you see, the permissions are set (both Application and Delegated :

But upon granting consent, I see the below error :

# This script creates a new Azure AD application 
and sets the Application and Delegated permissions for specific API (O365)

$Connection = Connect-AzureAD

$CurrentDateTime = Get-Date -UFormat "%Y-%m-%d_%H-%m-%S"
$ApplicationDisplayName = "Splunk Office 365 App_" +$CurrentDateTime
#  Get the service principal for O365 and Microsoft Graph
$ServicePrincipalO365API        = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Office 365 Management APIs" }

# Get all application permissions for O365 API
$ServicePrincipalO365APIAppRoles = $ServicePrincipalO365API.AppRoles | Where-Object {$_.Value -match "\bActivityReports.Read\b|\bActivityFeed.ReadDlp\b|\bServiceHealth.Read\b"}

# Get all delegated permissions for O365 API
$ServicePrincipalO365APIDelegatedRoles = $ServicePrincipalO365API.Oauth2Permissions | Where-Object {$_.Value -match "\bActivityReports.Read\b|\bActivityFeed.ReadDlp\b|\bServiceHealth.Read\b"}

# Create a Required Resource Access object for Office 365
$RequiredResourceAccessO365API = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$RequiredResourceAccessO365API.ResourceAppId = $ServicePrincipalO365API.AppId

$ServicePrincipalO365APIAppRolesSelectedPermissions = @()


# Get all the Resource Access objects for the Application permissions
foreach ($ServicePrincipalO365APIAppRole in $ServicePrincipalO365APIAppRoles)
{
    $Permission = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList $ServicePrincipalO365APIAppRole.Id,"Role"
    $ServicePrincipalO365APIAppRolesSelectedPermissions += $Permission
}


# Get all the Resource Access objects for the Delegated permissions
foreach ($ServicePrincipalO365APIDelegatedRole in $ServicePrincipalO365APIDelegatedRoles)
{
    $Permission = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList $ServicePrincipalO365APIDelegatedRole.Id,"Scope"
    $ServicePrincipalO365APIAppRolesSelectedPermissions += $Permission

}

# Assign all the permissions to the required Resource access for the O365 API 
$RequiredResourceAccessO365API.ResourceAccess  = $ServicePrincipalO365APIAppRolesSelectedPermissions

# Create the Password credential for the new app
Add-Type -AssemblyName System.Web
$ApplicationPassword =[System.Web.Security.Membership]::GeneratePassword(32,2)
$ApplicationPassword = $ApplicationPassword.Replace("+","_")
$ApplicationPassword = $ApplicationPassword.Replace("-","_")
$keyId = (New-Guid).ToString();
$fromDate = [System.DateTime]::Now
$durationInYears = 5
$endDate = $fromDate.AddYears($durationInYears) 
$Applicationkey = New-Object Microsoft.Open.AzureAD.Model.PasswordCredential($null, $endDate, $keyId, $fromDate, $ApplicationPassword)

# Create the new app with the password cred
$aadApplication = New-AzureADApplication -DisplayName $ApplicationDisplayName -PasswordCredentials $Applicationkey

write-output("Application created")

# Set the permissions
Set-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $RequiredResourceAccessO365API
write-output("Application permissions set")

EDIT

I add the application permissions to a list and assign to a type "Microsoft.Open.AzureAD.Model.RequiredResourceAccess":

$RequiredResourceAccessO365API.ResourceAccess = $ServicePrincipalO365APIAppRolesSelectedPermissions

But "Microsoft.Open.AzureAD.Model.RequiredResourceAccess", ResourceAccess Property takes only OAuth i.e. Delegated permissions.

https://docs.microsoft.com/en-us/dotnet/api/microsoft.azure.management.graph.rbac.fluent.models.requiredresourceaccess.resourceaccess?view=azure-dotnet#microsoft-azure-management-graph-rbac-fluent-models-requiredresourceaccess-resourceaccess

So how one can add the application permissions to it? Is this why I'm not able to grant consent for application permissions? Is there an alternative?

Answer 1

I tried to reproduce the same error in my environment. I have created an Azure AD application and granted the same permissions using your PowerShell script.

I got same error while trying to grant admin consent as below:

ActivityReports.Read API permission is used to read activity reports of your organization.

Before adding this permission, you need to enable Audit Logs in Office365. Check whether that permission is enabled or not like below:

If you try to grant admin consent without enabling this, you will get that error.

I tried removing ActivityReports.Read permission(both Application and Delegated) and granted admin consent successfully like below:

If you need ActivityReports.Read permission, add it after turning on Audit Logs for Office365.

To know how to enable that option in detail, make use of below links:

Turn auditing on or off - Microsoft Purview | Microsoft Docs

How to enable and configure Office 365 logging and auditing - YouTube