I want to automate the creation of my application in Azure AD and get back the client id generated by Azure AD.
Are there PowerShell commandlets to do this? Is there some other means, like an API of doing this besides the management console?
Can you point me to an example?
Thanks!
Go to the Azure Active Directory Admin Center and sign in using one of the roles listed in the prerequisites. In the left menu, select Enterprise applications. The All applications pane opens and displays a list of the applications in your Azure AD tenant. In the Enterprise applications pane, select New application.
To add an on-premises application to Azure AD, you need: A Microsoft Azure AD premium subscription. An application administrator account. User identities must be synchronized from an on-premises directory or created directly within your Azure AD tenants.
Applications are added to Azure AD to leverage one or more of the services it provides including: Application authentication and authorization. User authentication and authorization. SSO using federation or password.
There are a number of ways you can create an application in AAD Programatically. I will briefly cover two different ways you can go about doing this: PowerShell CMDLETs and the Graph API. In general, I would strongly reccommend using the Graph API for this.
PowerShell:
There are a few different modules running around that have the ability to create AAD Applications/Service Principals. If you need to create a new application object in your tenant, you can use Azure PowerShell to make the following call:
https://msdn.microsoft.com/en-us/library/mt603747.aspx
PS C:\> New-AzureRmADApplication -DisplayName "NewApplication" -HomePage "http://www.Contoso.com" -IdentifierUris "http://NewApplication"
If you need to create a service principal for your application in your tenant you can use Azure AD PowerShell:
https://msdn.microsoft.com/en-us/library/azure/jj151815.aspx
https://msdn.microsoft.com/en-us/library/azure/dn194119.aspx
New-MsolServicePrincipal -ServicePrincipalNames @("MyApp/Contoso.com") -DisplayName "My Application"
Graph API: (recommended)
You can also create applications by making a POST to our Graph API: https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#ApplicationEntity
We have samples that show how you can register and create an applicatoin to target the Graph API, and use the Graph Client Library to assist you in making the correct calls to the API:
https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet
I hope this helps!
I'm a little late to the party - but I recently encountered this challenge too. Here are the relevant excerpts from my solution...
First you need to get the authentication token. For this you can use this handy function.
function GetAuthToken { param ( [Parameter(Mandatory=$true)] $TenantName ) $adal = "${env:ProgramFiles(x86)}\Microsoft SDKs\Azure\PowerShell\ServiceManagement\Azure\Services\Microsoft.IdentityModel.Clients.ActiveDirectory.dll" $adalforms = "${env:ProgramFiles(x86)}\Microsoft SDKs\Azure\PowerShell\ServiceManagement\Azure\Services\Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll" [System.Reflection.Assembly]::LoadFrom($adal) | Out-Null [System.Reflection.Assembly]::LoadFrom($adalforms) | Out-Null $clientId = "1950a258-227b-4e31-a9cf-717495945fc2" $redirectUri = "urn:ietf:wg:oauth:2.0:oob" $resourceAppIdURI = "https://graph.windows.net" $authority = "https://login.windows.net/$TenantName" $authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority $authResult = $authContext.AcquireToken($resourceAppIdURI, $clientId,$redirectUri, "Auto") return $authResult }
(borrowed from Paulo Marques https://blogs.technet.microsoft.com/paulomarques/2016/03/21/working-with-azure-active-directory-graph-api-from-powershell/)
You can then submit a POST request to the Azure Active Directory Graph API in order to create your application. However there is a little setup required.
# The name of this AAD instance $global:tenant = "mycompany.onmicorosft.com" $global:aadSecretGuid = New-Guid $global:aadDisplayName = "azure-ad-displayname" $global:aadIdentifierUris = @("https://contoso.com") $guidBytes = [System.Text.Encoding]::UTF8.GetBytes($global:aadSecretGuid) $global:aadSecret = @{ 'type'='Symmetric'; 'usage'='Verify'; 'endDate'=[DateTime]::UtcNow.AddDays(365).ToString('u').Replace(' ', 'T'); 'keyId'=$global:aadSecretGuid; 'startDate'=[DateTime]::UtcNow.AddDays(-1).ToString('u').Replace(' ', 'T'); 'value'=[System.Convert]::ToBase64String($guidBytes); } # ADAL JSON token - necessary for making requests to Graph API $global:token = GetAuthToken -TenantName $global:tenant # REST API header with auth token $global:authHeader = @{ 'Content-Type'='application/json'; 'Authorization'=$global:token.CreateAuthorizationHeader() }
Now you can hit the Graph API.
$resource = "applications" $payload = @{ 'displayName'=$global:aadDisplayName; 'homepage'='https://www.contoso.com'; 'identifierUris'= $global:aadIdentifierUris; 'keyCredentials'=@($global:aadSecret) } $payload = ConvertTo-Json -InputObject $payload $uri = "https://graph.windows.net/$($global:tenant)/$($resource)?api-version=1.6" $result = (Invoke-RestMethod -Uri $uri -Headers $global:authHeader -Body $payload -Method POST -Verbose).value
Once the response comes back, you can extract the configuration values you need.
# Extract configuration values $keyObject = foreach($i in $result.keyCredentials) { $i } # Tenant ID $global:aadTenantId = Get-AzureRmSubscription | Select-Object -ExpandProperty TenantId # Application object ID $global:aadApplicationObjectId = $result | Select-Object -ExpandProperty objectId # App ID / Client ID $global:aadClientId = $result | Select-Object -ExpandProperty appId # Application Secret/Key $global:aadAppSecret = $keyObject | Select-Object -ExpandProperty keyId
I hope this helps somebody!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With