`New-Agent365ToolsServicePrincipalProdPublic.ps1` requests insufficient Graph scope — 403 on `New-MgServicePrincipal

[pdwarf]

Agent365-devTools/scripts/cli/Auth/New-Agent365ToolsServicePrincipalProdPublic.ps1

Line 193 in b76c963

Connect-MgGraph -Scopes "AppRoleAssignment.ReadWrite.All" -NoWelcome

Connect-MgGraph on line 193 requests only AppRoleAssignment.ReadWrite.All. New-MgServicePrincipal requires Application.ReadWrite.All. The V1 ATG SP is typically pre-existing so it skips past, but any V2 per-server SP that needs creation hits Authorization_RequestDenied (403).

Fix: add Application.ReadWrite.All to the -Scopes array.

- Connect-MgGraph -Scopes "AppRoleAssignment.ReadWrite.All" -NoWelcome
+ Connect-MgGraph -Scopes "Application.ReadWrite.All","AppRoleAssignment.ReadWrite.All" -NoWelcome

CLI version: 1.1.176, PowerShell 7.5.4, macOS.

[pdwarf]

@biswapm is this sth you could look at with urgency? cc @Sunil-Garg We are taping a webinar demo for n8n soon and I'd love to be able to run scripts as they are, not have to call out any "...but to get it working, change this line like so...".

[biswapm]

Thanks for the detailed report, @pdwarf — repro and root cause are spot-on. cc @Sunil-Garg

One refinement on the fix: rather than appending Application.ReadWrite.All to the existing scope, I'd recommend replacing it. The script only calls Get-MgServicePrincipal and New-MgServicePrincipal — it doesn't touch app role assignments anywhere, so AppRoleAssignment.ReadWrite.All is dead weight from a copy-paste. Following least-privilege, the correct scope is Application.ReadWrite.All alone.

Proposed diff:

- Connect-MgGraph -Scopes "AppRoleAssignment.ReadWrite.All" -NoWelcome
+ Connect-MgGraph -Scopes "Application.ReadWrite.All" -NoWelcome

And the matching error-message hint at line 234 should be updated too — right now it tells users hitting the 403 to obtain AppRoleAssignment.ReadWrite.All, which wouldn't actually fix the problem:

-         Write-Host "  - AppRoleAssignment.ReadWrite.All" -ForegroundColor White
+         Write-Host "  - Application.ReadWrite.All" -ForegroundColor White

Why replace vs. append:

• Least privilege — admins running this won't be asked to grant a permission the script never exercises.
• Truthful error messages — the 403-handler hint stops misleading users.
• No re-consent risk for shrinking the scope set — reducing permissions doesn't break tenants that previously consented to the broader set.

macOS note: the change is OS-agnostic (pure scope string + a Write-Host message), and the fix has been verified against your reported environment (macOS, PowerShell 7.5.4). The only macOS-specific thing to expect is that Connect-MgGraph will open Safari/your default browser for a fresh consent prompt listing Application.ReadWrite.All only.

PR up at #415 — should unblock the n8n webinar demo.

[pdwarf]

Amazing, thanks for the fast turnaround 🔥