I am creating an app registration and adding app roles to the app registration via AzurePowershell task via Azure Devops YAML file.
This worked for months and the last time I did a successfull deployment was last week Thursday.
Since today I am getting the error
Access blocked to AAD Graph API for this application.
All the permissions are set correct for the app registration of the service connection DevSubscription.
I am not able to find the reason behind this error.
The service connection is created with workload identity federation. Nothing on my side has been changed. The service connection has the role "Application Administrator" assigned.
The api permissions for Microsoft graph are all configured on the app registration.
Any help is welcome.
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.microsoft.com").AccessToken
$aadToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, "https://graph.windows.net").AccessToken
Connect-AzureAD -AadAccessToken $aadToken -AccountId $context.Account.Id -TenantId $context.tenant.id -MsAccessToken $graphToken
$scope = New-Object Microsoft.Open.AzureAD.Model.OAuth2Permission
$scope.Value = "user_impersonation"
$NewApplication = New-AzureADApplication -DisplayName "$(RedirectURI)" -ReplyUrls $(URL)
$EnterpriseApplication = New-AzureADServicePrincipal -AppId $NewApplication.AppId
Thanks to @wenbo-finding-job the problem was solved by following the steps as described in the blog: