8

I am creating a new Azure AD application through Powershell. I have successfully created the application and assigned a client_secret with the following PowerShell command:

$app = New-AzureRmADApplication -DisplayName "PowerShell-Test-POC2" -HomePage "http://www.microsoft.com" -IdentifierUris "http://kcuraonedrive.onmicrosoft.com/PowerShell-Test-POC2" -AvailableToOtherTenants $true

My question is how do I go about configuring this newly created application through Powershell, (i.e. Required permissions and Reply URLs)?

jdave
  • 845
  • 2
  • 11
  • 27

1 Answers1

29

I would suggest to rather use the new Azure AD v2 cmdlets: https://learn.microsoft.com/en-us/powershell/azuread/v2/azureactivedirectory.

They are more versatile than the ARM ones, and allow you to specify things like keys, reply URLs more easily.

For example, to add reply URLs:

Set-AzureADApplication -ObjectId 1048db5f-f5ff-419b-8103-1ce26f15db31 -ReplyUrls @("https://localhost:8080","https://localhost:8081")

To add a required permission, you have to find out a couple things. The service principal on which the permissions are defined, you will need its appId. (I found the Microsoft Graph API principal from my tenant) Then you need to find the appRole or oauth2Permission that you want to require. You will need its id.

Then to add a delegated permission:

$req = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$acc1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d","Scope"
$acc2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "798ee544-9d2d-430c-a058-570e29e34338","Role"
$req.ResourceAccess = $acc1,$acc2
$req.ResourceAppId = "00000003-0000-0000-c000-000000000000"
Set-AzureADApplication -ObjectId 1048db5f-f5ff-419b-8103-1ce26f15db31 -RequiredResourceAccess $req

The ResourceAppId is the appId of the service principal for the Microsoft Graph API. The ResourceAccess object in this case contains two requirements. First one holds the id of the oauth2Permission I want to require, as well as specifying that it is a delegated permission. The second contains an app permission, the id is the object id of the appRole.

Scope = Delegated permission

Role = Application permission

To find the service principal you need, you can run:

Get-AzureADServicePrincipal
ObjectId                             AppId                                DisplayName
--------                             -----                                -----------
f004dde9-b40f-4259-91be-e257009a444a 00000003-0000-0000-c000-000000000000 Microsoft Graph

Then get the principal and list out delegated permissions:

$msGraph = Get-AzureADServicePrincipal -ObjectId f004dde9-b40f-4259-91be-e257009a444a
$msGraph.Oauth2Permissions | select Id,AdminConsentDisplayName,Value
Id                                   AdminConsentDisplayName                                           Value
--                                   -----------------------                                           -----
e1fe6dd8-ba31-4d61-89e7-88639da4683d Sign in and read user profile                                     User.Read

Or if you need an app permission:

$msGraph.AppRoles | select Id,DisplayName,Value
Id                                   DisplayName                                            Value
--                                   -----------                                            -----
798ee544-9d2d-430c-a058-570e29e34338 Read calendars in all mailboxes                        Calendars.Read

The Id is the important one.

For scripts the nice thing is that the application id for MS services is always same. The permission ids are also same in all tenants. So for example:

  • Microsoft Graph API
    • AppId: 00000003-0000-0000-c000-000000000000
  • Azure AD Graph API
    • AppId: 00000002-0000-0000-c000-000000000000
juunas
  • 54,244
  • 13
  • 113
  • 149
  • thank you for replying. Could you please provide additional information on the line where you said: *"Then you need to find the appRole or oauth2Permissions that you want to require"*? – jdave Feb 10 '17 at 19:11
  • See my edit. I added some example commands I used to get the Microsoft Graph API permissions. – juunas Feb 10 '17 at 19:19
  • @junnas - ah thank you! What if I am setting up a brand new app and there is no service principle on which the permissions are defined? If I wanted to create new permissions for the app - is there a different flow? – jdave Feb 10 '17 at 19:23
  • If you are developing an app that will expose permissions for other apps, you will have to fill those in in the *oauth2Permissions* for the app, and then create the service principal from the app. – juunas Feb 10 '17 at 19:26
  • I am creating a service/daemon application that will *not* require permissions to other apps. – jdave Feb 10 '17 at 19:31
  • What does this daemon application need to do? Usually that kind of apps do require some permissions. Otherwise they can only get an access token that doesn't allow them to do anything :) – juunas Feb 10 '17 at 19:34
  • I have proofed out the ability to generate an `auth_token` from a `client_id` and `client_secret`, then I provide that `auth_token` to `Microsoft Graph SDK` to access OneDrive for Bussiness data for all users that belong to a tenant - that is the daemon service. The powershell command will allow a new tenant to run the script to generate a new Azure AD application, (which I have working) however I do not know how to automate the process of adding permissions to the *new* Azure AD application. – jdave Feb 10 '17 at 19:49
  • I edited my question. The appIds (client id) and permission ids for APIs like the Microsoft Graph are always same in every tenant. You can hardcode them, or find the principal through a search. Either way will work. – juunas Feb 10 '17 at 20:10
  • How do you set individual permissions for the AppId for Microsoft Graph API? I am having trouble trying to add them – jdave Feb 10 '17 at 22:13
  • This post finally clarifies how to create API permissions, or `"requiredResourceAccess"`visible in AD app's manifest. Granting them is an another story. – Jari Turkia Jan 23 '19 at 08:34
  • @juunas - Can the same thing be done with PS AzAD module instead of AzureAD? Get-AzADApplication return object doesnt seem to have Approles property. – s-a-n Jun 27 '20 at 20:18