Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to configure a new Azure AD application through Powershell?

I am creating a new Azure AD application through Powershell. I have successfully created the application and assigned a client_secret with the following PowerShell command:

$app = New-AzureRmADApplication -DisplayName "PowerShell-Test-POC2" -HomePage "http://www.microsoft.com" -IdentifierUris "http://kcuraonedrive.onmicrosoft.com/PowerShell-Test-POC2" -AvailableToOtherTenants $true

My question is how do I go about configuring this newly created application through Powershell, (i.e. Required permissions and Reply URLs)?

like image 561
jdave Avatar asked Feb 10 '17 16:02

jdave


People also ask

What is the Azure PowerShell AZ module command for creating a new web app?

The New-AzWebApp cmdlet creates an Azure Web App in a given a resource group that uses the specified App Service plan and data center.

What Azure Active Directory PowerShell cmdlet should you use to create a new user account?

The cmdlet used is New-AzureADUser. This cmdlet has many parameters that you can use to decorate the new user object in Azure AD.


1 Answers

I would suggest to rather use the new Azure AD v2 cmdlets: https://docs.microsoft.com/en-us/powershell/azuread/v2/azureactivedirectory.

They are more versatile than the ARM ones, and allow you to specify things like keys, reply URLs more easily.

For example, to add reply URLs:

Set-AzureADApplication -ObjectId 1048db5f-f5ff-419b-8103-1ce26f15db31 -ReplyUrls @("https://localhost:8080","https://localhost:8081")

To add a required permission, you have to find out a couple things. The service principal on which the permissions are defined, you will need its appId. (I found the Microsoft Graph API principal from my tenant) Then you need to find the appRole or oauth2Permission that you want to require. You will need its id.

Then to add a delegated permission:

$req = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$acc1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d","Scope"
$acc2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "798ee544-9d2d-430c-a058-570e29e34338","Role"
$req.ResourceAccess = $acc1,$acc2
$req.ResourceAppId = "00000003-0000-0000-c000-000000000000"
Set-AzureADApplication -ObjectId 1048db5f-f5ff-419b-8103-1ce26f15db31 -RequiredResourceAccess $req

The ResourceAppId is the appId of the service principal for the Microsoft Graph API. The ResourceAccess object in this case contains two requirements. First one holds the id of the oauth2Permission I want to require, as well as specifying that it is a delegated permission. The second contains an app permission, the id is the object id of the appRole.

Scope = Delegated permission

Role = Application permission

To find the service principal you need, you can run:

Get-AzureADServicePrincipal
ObjectId                             AppId                                DisplayName
--------                             -----                                -----------
f004dde9-b40f-4259-91be-e257009a444a 00000003-0000-0000-c000-000000000000 Microsoft Graph

Then get the principal and list out delegated permissions:

$msGraph = Get-AzureADServicePrincipal -ObjectId f004dde9-b40f-4259-91be-e257009a444a
$msGraph.Oauth2Permissions | select Id,AdminConsentDisplayName,Value
Id                                   AdminConsentDisplayName                                           Value
--                                   -----------------------                                           -----
e1fe6dd8-ba31-4d61-89e7-88639da4683d Sign in and read user profile                                     User.Read

Or if you need an app permission:

$msGraph.AppRoles | select Id,DisplayName,Value
Id                                   DisplayName                                            Value
--                                   -----------                                            -----
798ee544-9d2d-430c-a058-570e29e34338 Read calendars in all mailboxes                        Calendars.Read

The Id is the important one.

For scripts the nice thing is that the application id for MS services is always same. The permission ids are also same in all tenants. So for example:

  • Microsoft Graph API
    • AppId: 00000003-0000-0000-c000-000000000000
  • Azure AD Graph API
    • AppId: 00000002-0000-0000-c000-000000000000
like image 126
juunas Avatar answered Oct 20 '22 04:10

juunas