Change Azure Active Directory "Reply URL" via Powershell command

Question

To automate our build process, i was looking for a possibility to change the "Reply URL" of an existing Active Directory application via a Powershell script.

The official documentation just describes a way, how to change it with help of the web portal.

There is already a Github issue about this topic. But maybe someone faced a similar problem in the past and solved it?

Answer 1

With the Active Directory Powershell Module this is even simpler. You first need to install the module, like this:

Install-Module -Name AzureAD

Then you need to log in to Azure AD. This can be done interactively, if you are on a desktop, with Connect-AzureAD, which will show a popup asking you to log in. If you are e.g. in a CI environment, you can use a Service Principal to authenticate.

When authenticated, the following will do the job (remember to change the Azure AD App ID (which is the one you typically get in the error message from MS Saying that Reply URL <bladibla> is not valid for application <guid> and the reply URL:

$appId = "9e5675c3-7cd5-47c1-9d21-72204cd1fe2f" #Remember to change
$newReplyUrl = "https://mywebapp.azurewebsites.net/SignIn/"; #Remember to change

# Get Azure AD App
$app = Get-AzureADApplication -Filter "AppId eq '$($appId)'"

$replyUrls = $app.ReplyUrls;

# Add Reply URL if not already in the list 

if ($replyUrls -NotContains $newReplyUrl) {
    $replyUrls.Add($newReplyUrl)
    Set-AzureADApplication -ObjectId $app.ObjectId -ReplyUrls $replyUrls
}

Answer 2

As an alternative, you can put the following script in a console application and then call this program from your Powershell script.

First of all, include the nuget package Microsoft.Azure.ActiveDirectory.GraphClient.

//First, log in into Azure:
Uri servicePointUri = new Uri("https://graph.windows.net");
Uri serviceRoot = new Uri(servicePointUri, "YourTenantId");
ActiveDirectoryClient activeDirectoryClient = new ActiveDirectoryClient(serviceRoot,
  async () => await AcquireTokenAsyncForUser("YourTenant.onmicrosoft.com", "ClientIdForThisApplication"));
//A popup will now be shown to you, requiring you to log in into the AAD.

//Find your application
var existingApp = activeDirectoryClient.Applications.Where(s => s.DisplayName == "NameOfYourApplication").Take(1).ExecuteAsync().Result;
if (existingApp != null && existingApp.CurrentPage != null && existingApp.CurrentPage.Count == 1)
{
  //Application found
  var app = existingApp.CurrentPage.First();

  //Change the Reply Url
  app.ReplyUrls.Clear();
  app.ReplyUrls.Add("http://YourNewReplyUrl/");

  app.UpdateAsync().Wait();
}

A bit more details about the things you will need to change:

• YourTenantId, this is the GUID that's used to identify your azure active directory (AAD).
• YourTenant.onmicrosoft.com, basicly this is the name of your AAD followed by ".onmicrosoft.com".
• ClientIdForThisApplication, you will have to add the above console application in your AAD under applications manually. (as a Native Client Application). In the Configure tab, you will find the Client ID for this application. This only needs to be done once, you can keep using this application (and its Client Id) for all your builds.
• NameOfYourApplication, name of the application you wish to change, as it is known in your AAD.
• http://YourNewReplyUrl/, your new reply url.

(Small disclosure, I've scrapped the above code together from my existing code, I think I've copied all what's required, but I haven't tested the above result.)