-1

I'm using New-AzureADApplication -DisplayName MyApp -PasswordCredentials $PasswordCreds (Password creds are defined elsewhere), which successfully creates the app registration (not enterprise app) alongside passkey without issue.

Where I'm failing is that I also have 5 graph application based permissions I want to add to this app including User.Read.All

I've tried to follow several answers on StackOverflow and read countless blogs, but, I'm simply failing at this. Some guides/answers seem to be out of date or when I run some examples, I'm getting about 6-8 different GUIDs for User.Read.All, and other answers just include the permission that the question answer was asking without explaining why/how.

I don't want an answer for User.Read.All, I really want to learn and understand how I can ultimately provide '-RequiredResourceAccess` the correct parameters when all I know is the permission name as above.

Wil
  • 10,234
  • 12
  • 54
  • 81

2 Answers2

2

Here's the best example of doing this: https://github.com/mjisaak/azure-active-directory/blob/master/README.md#well-known-appids

because the graph app has a unique object id in your tenant, you need to get that ID first.

Get-AzureADServicePrincipal | Where-Object AppId -Match '\w{8}-\w{4}-\w{4}-c000'

this just matches a few to show you a bunch of system apps. You'll note that Microsoft Graph has a well known app id of 00000003-blabla. but you'll also see the Object ID, you take that object id. and you then query it for either all the oauth2permissions (Delegated) or the AppRoles (Application Permissions)

Delegated Permissions :

Get-AzureAdServicePrincipal -ObjectId ObjectIDyouFoundAbove | 
    Select-Object -expand Oauth2Permissions | 
    Select-Object Id, Value, AdminConsentDisplayName | 
    Sort-Object Id

Application Permissions :

Get-AzureAdServicePrincipal -ObjectId AgainObjectIDYouFoundAbove |
  Select-Object -expand AppRoles | 
  Select-Object Id, Value, DisplayName | 
  Sort-Object Id

This will List the guids for the permissions. Value is basically the read.user text. where as displayname is the description. ID is your Guid.

alphaz18
  • 2,610
  • 1
  • 5
  • 5
  • The first command could potentially be replaced with `Get-AzureADServicePrincipal -SearchString "Microsoft Graph"`. Great information overall. – Alex AIT Jun 29 '20 at 16:58
1

From looking through the web, you should be able to do the whole thing via Powershell, but it felt fairy convoluted and it did not work for me immediately. It might not be worth it unless you need to resolve these guids dynamically. This did NOT work for me, but if you want to investigate, look at $sp = Get-AzureADServicePrincipal -SearchString "Microsoft Graph" and $sp.Oauth2Permissions (https://gcits.com/knowledge-base/automate-creation-azure-ad-applications-access-microsoft-graph-customer-tenants/).

This is what does work for me: I usually just set up one app manually in the portal, and then have a look at the application manifest.

    "requiredResourceAccess": [
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "5b567255-7703-4780-807c-7be8301ae99b",
                    "type": "Role"
                }
            ]
        },
        {
            "resourceAppId": "00000002-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
                    "type": "Scope"
                },
                {
                    "id": "6234d376-f627-4f0f-90e0-dff25c5211a3",
                    "type": "Scope"
                }
            ]
        }
    ],

Azure Portal

For actually setting the permissions, you probably already have the code. I will just include it for completeness' sake.

How to configure a new Azure AD application through Powershell?

$req = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$acc1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d","Scope"
$acc2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "798ee544-9d2d-430c-a058-570e29e34338","Role"
$req.ResourceAccess = $acc1,$acc2
$req.ResourceAppId = "00000003-0000-0000-c000-000000000000"
Set-AzureADApplication -ObjectId 1048db5f-f5ff-419b-8103-1ce26f15db31 -RequiredResourceAccess $req
Alex AIT
  • 17,361
  • 3
  • 36
  • 73
  • I had seen this blog post, but, I just didn't fully understand how they are searching and getting the IDs, for example, using one of the commands trying to find User.Read.All came up with many results. I didn't think about just looking at the manifest for an existing one, so, I really like this solution - thank you and +1... I'll leave open on the hopes someone else can answer better about searching from scratch/not touching the GUI at all as it may help someone else, and like you said, it should be possible! – Wil Jun 28 '20 at 21:09
  • great way to explain the how and the why! – JJS Oct 08 '21 at 14:57