Menu
I am creating a new Azure AD application through Powershell. I have successfully created the application and assigned a client_secret with the following PowerShell command:
$app = New-AzureRmADApplication -DisplayName "PowerShell-Test-POC2" -HomePage "http://www.microsoft.com" -IdentifierUris "http://kcuraonedrive.onmicrosoft.com/PowerShell-Test-POC2" -AvailableToOtherTenants $true
My question is how do I go about configuring this newly created application through Powershell, (i.e. Required permissions and Reply URLs)?
561
The New-AzWebApp cmdlet creates an Azure Web App in a given a resource group that uses the specified App Service plan and data center.
The cmdlet used is New-AzureADUser. This cmdlet has many parameters that you can use to decorate the new user object in Azure AD.
I would suggest to rather use the new Azure AD v2 cmdlets: https://docs.microsoft.com/en-us/powershell/azuread/v2/azureactivedirectory.
They are more versatile than the ARM ones, and allow you to specify things like keys, reply URLs more easily.
For example, to add reply URLs:
Set-AzureADApplication -ObjectId 1048db5f-f5ff-419b-8103-1ce26f15db31 -ReplyUrls @("https://localhost:8080","https://localhost:8081")
To add a required permission, you have to find out a couple things. The service principal on which the permissions are defined, you will need its appId. (I found the Microsoft Graph API principal from my tenant) Then you need to find the appRole or oauth2Permission that you want to require. You will need its id.
Then to add a delegated permission:
$req = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$acc1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d","Scope"
$acc2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "798ee544-9d2d-430c-a058-570e29e34338","Role"
$req.ResourceAccess = $acc1,$acc2
$req.ResourceAppId = "00000003-0000-0000-c000-000000000000"
Set-AzureADApplication -ObjectId 1048db5f-f5ff-419b-8103-1ce26f15db31 -RequiredResourceAccess $req
The ResourceAppId is the appId of the service principal for the Microsoft Graph API. The ResourceAccess object in this case contains two requirements. First one holds the id of the oauth2Permission I want to require, as well as specifying that it is a delegated permission. The second contains an app permission, the id is the object id of the appRole.
Scope = Delegated permission
Role = Application permission
To find the service principal you need, you can run:
Get-AzureADServicePrincipal
ObjectId AppId DisplayName
-------- ----- -----------
f004dde9-b40f-4259-91be-e257009a444a 00000003-0000-0000-c000-000000000000 Microsoft Graph
Then get the principal and list out delegated permissions:
$msGraph = Get-AzureADServicePrincipal -ObjectId f004dde9-b40f-4259-91be-e257009a444a
$msGraph.Oauth2Permissions | select Id,AdminConsentDisplayName,Value
Id AdminConsentDisplayName Value
-- ----------------------- -----
e1fe6dd8-ba31-4d61-89e7-88639da4683d Sign in and read user profile User.Read
Or if you need an app permission:
$msGraph.AppRoles | select Id,DisplayName,Value
Id DisplayName Value
-- ----------- -----
798ee544-9d2d-430c-a058-570e29e34338 Read calendars in all mailboxes Calendars.Read
The Id is the important one.
For scripts the nice thing is that the application id for MS services is always same. The permission ids are also same in all tenants. So for example:
126
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
