Integration between Citrix Gateway and Microsoft Endpoint Management fails because OAuth status fails to move on from status GRAPH to status COMPLETE
Article ID: CTX338532
Updated On:
Description
Integration between Citrix Gateway and Microsoft Endpoint Management fails because OAuth status fails to move on from status GRAPH to status COMPLETE.
Closer inspection of the problem shows that Microsoft servers return 403 "Insufficient privileges to complete the operation."
Environment
Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.
Resolution
Use Powershell to achieve the desired outcome. The CLI method of configuring Azure Active Directory Graph permissions is still available at the time of publishing this support article.
Install Azure CLI tools in Powershell:
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
Install Az module in Powershell:
Install-Module -Name Az
Adding Azure AD Graph permissions to an application ID:
az ad app permission add --id b6a53a76-5d50-499e-beb3-c8dbdad5c40b --api 00000002-0000-0000-c000-000000000000 --api-permissions 311a71cc-e848-46a1-bdf8-97ff7156d8e6=Scope
Note that you can create a separate App Registration in Azure, where a new and unique Application ID (Client ID) becomes available. This custom Application ID can be used instead of b6a53a76-5d50-499e-beb3-c8dbdad5c40b in scenarios where it is needed. Note also that the GUIDs for all Azure AD Graph API permissions are available via one of the links in 'Additional Resources'. Relevant --api-permissions can be found from the ink.
The list of all permissions required are as follows:
Install Azure CLI tools in Powershell:
$ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList '/I AzureCLI.msi /quiet'; rm .\AzureCLI.msi
Install Az module in Powershell:
Install-Module -Name Az
Adding Azure AD Graph permissions to an application ID:
az ad app permission add --id b6a53a76-5d50-499e-beb3-c8dbdad5c40b --api 00000002-0000-0000-c000-000000000000 --api-permissions 311a71cc-e848-46a1-bdf8-97ff7156d8e6=Scope
Note that you can create a separate App Registration in Azure, where a new and unique Application ID (Client ID) becomes available. This custom Application ID can be used instead of b6a53a76-5d50-499e-beb3-c8dbdad5c40b in scenarios where it is needed. Note also that the GUIDs for all Azure AD Graph API permissions are available via one of the links in 'Additional Resources'. Relevant --api-permissions can be found from the ink.
The list of all permissions required are as follows:
Problem Cause
Microsoft announced the planned deprecation of Azure AD Graph, to be replaced with Microsoft Graph. Although Azure AD Graph is no longer available to add through the web portal, it can still be added by using suitable CLI tools.Additional Information
https://docs.citrix.com/en-us/citrix-gateway/13/microsoft-intune-integration/setup-gateway-for-microvpn-integration-with-intune.html
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/end-of-support-for-azure-ad-graph-permission-sign-up-through/ba-p/2464404
https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?view=azure-cli-latest&tabs=azure-powershell
https://docs.microsoft.com/en-us/archive/blogs/aaddevsup/guid-table-for-windows-azure-active-directory-permissions
https://docs.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-add
https://docs.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-admin-consent
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/end-of-support-for-azure-ad-graph-permission-sign-up-through/ba-p/2464404
https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?view=azure-cli-latest&tabs=azure-powershell
https://docs.microsoft.com/en-us/archive/blogs/aaddevsup/guid-table-for-windows-azure-active-directory-permissions
https://docs.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-add
https://docs.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-admin-consent
Was this article helpful?
Yes
No
Powered by
