Azure ad app - Updating manifest programmatically

Question

I am trying to find a way to update an Azure Ad registered app's manifest via powershell, utilizing a json file.

The Json file contains all of the app roles, and i would like to simple inject the App Roles: [] right into the App Role Brackets

Is there a way to achieve this via power shell or CLI?

Answer 1

Yes you can update the Azure AD Application's manifest through PowerShell.

Specifically to add App Roles, here's a PowerShell script.

In case you're trying to do this while creating a new application, just use New-AzureADApplication instead of Set-AzureADApplication.

Connect-AzureAD -TenantId <Tenant GUID>

# Create an application role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
{
    $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
    $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
    $appRole.AllowedMemberTypes.Add("User");
    $appRole.DisplayName = $Name
    $appRole.Id = New-Guid
    $appRole.IsEnabled = $true
    $appRole.Description = $Description
    $appRole.Value = $Name;
    return $appRole
}

# ObjectId for application from App Registrations in your AzureAD
$appObjectId = "<Your Application Object Id>"
$app = Get-AzureADApplication -ObjectId $appObjectId
$appRoles = $app.AppRoles
Write-Host "App Roles before addition of new role.."
Write-Host $appRoles

$newRole = CreateAppRole -Name "MyNewApplicationRole" -Description "This is my new Application Role"
$appRoles.Add($newRole)

Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles

Answer 2

Keep in mind that the "manifest", as displayed in the Azure AD portal, is nothing more than a lightly-constrained representation of the Application object, as exposed by the Azure AD Graph API: https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#application-entity

Azure AD PowerShell (the AzureAD module) is just a simple wrapper around the same API. New‑AzureADApplication does a POST on /applications, Get‑AzureADApplication does a GET, Set‑AzureADApplication does a PATCH, and Remove‑AzureADApplication does a DELETE.

So, keeping that in mind, consider the following input file app-roles.json:

[
    {
        "allowedMemberTypes": [ "Application" ],
        "description": "Read some things in the My App service",
        "displayName": "Read some things",
        "id": "b2b2e6de-bb42-41b4-92db-fda89218b5ae",
        "isEnabled": true,
        "value": "Things.Read.Some"
    },
    {
        "allowedMemberTypes": [ "User" ],
        "description": "Super admin role for My App",
        "displayName": "My App Super Admin",
        "id": "a01eca9b-0c55-411d-aa5f-d8cfdbadf500",
        "isEnabled": true,
        "value": "super_admin"
    }
]

You could use the following script to set those app roles on an app (note this will remove any existing app roles, which will cause an error is they weren't previously disabled):

$appId = "{app-id}"
$pathToAppRolesJson = "app-roles.json"

# Read all desired app roles from JSON file
$appRolesFromJson = Get-Content -Path $pathToAppRolesJson -Raw | ConvertFrom-Json

# Build a new list of Azure AD PowerShell AppRole objects
$appRolesForApp = @()
$appRolesFromJson | ForEach-Object {

    # Create new Azure AD PowerShell AppRole object for each app role
    $appRole = New-Object "Microsoft.Open.AzureAD.Model.AppRole"
    $appRole.AllowedMemberTypes = $_.allowedMemberTypes
    $appRole.Description = $_.description
    $appRole.DisplayName = $_.displayName
    $appRole.Id = $_.id
    $appRole.IsEnabled = $_.isEnabled
    $appRole.Value = $_.value

    # Add to the list of app roles
    $appRolesForApp += $appRole
}

# Update the Application object with the new list of app roles
$app = Get-AzureADApplication -Filter ("appId eq '{0}'" -f $appId)
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRolesForApp