4

trying to automate the azure app registration process using powershell

need some help for giving grant permission for an app after assigning api permissions using powershell can anyone help me on this.

and is there any better way to automate azure app reg process other than powershell?

Swikruti Bose
  • 158
  • 6
satya
  • 49
  • 1
  • 2
  • 1
    This document might help: https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureaduserapproleassignment?view=azureadps-2.0. These SO threads may help: https://stackoverflow.com/questions/43841968/powershell-script-to-automate-aad-app-and-assigning-delegated-permissions https://stackoverflow.com/questions/47346121/powershell-do-grant-permissions-action-on-azure-ad-application-with-powershe. – Swikruti Bose Feb 01 '18 at 06:12
  • thanks for the quick response, $req1.ResourceAppId = "00000003-0000-0000-c000-000000000000" $req2.ResourceAppId = "00000002-0000-0000-c000-000000000000" Set-AzureADApplication -ObjectId $newapp.ObjectId -RequiredResourceAccess @($req1,$req2) this is what i am look for exactly, i can able to give api permissions by above code using powershell, but once i give api permissions to my app, i need to grant permissions to the app . so i am look for some help on that, like any powershell script which can do the grant permission to app. – satya Feb 01 '18 at 17:18

2 Answers2

1

Try this: Login-AzureRmAccount

function get-azureRMToken() {
    <#
    .Synopsis
     This function gets the access token for the use
    #>
    try {
        $context = Get-AzureRmContext
        $tenantId = $context.Tenant.Id
        $refreshToken = @($context.TokenCache.ReadItems() | where {$_.tenantId -eq $tenantId -and $_.ExpiresOn -gt (Get-Date)})[0].RefreshToken
        $body = "grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6"
        $apiToken = Invoke-RestMethod "https://login.windows.net/$tenantId/oauth2/token" -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded'
        return $apiToken.access_token
    }
    catch {
        Write-Output "Exception.Message=$($_.Exception.Message); ScriptStackTrace=$($_.ScriptStackTrace); Exception.StackTrace=$($_.Exception.StackTrace); FullyQualifiedErrorId=$($_.FullyQualifiedErrorId); Exception.InnerException=$($_.Exception.InnerException)"
    }
}

function grant-aap-required-permission() {
    <#
    .Synopsis
     This function invoke azure rest to grant permission.
     #>
    Param(
        [Parameter(Mandatory = $true)]$azureAppId
    )
    try {
        $token = get-azureRMToken
        $header = @{
            'Authorization'          = 'Bearer ' + $token
            'X-Requested-With'       = 'XMLHttpRequest'
            'x-ms-client-request-id' = [guid]::NewGuid()
            'x-ms-correlation-id'    = [guid]::NewGuid()
        }
        $url = "https://main.iam.ad.ext.azure.com/api/RegisteredApplications/$azureAppId/Consent?onBehalfOfAll=true"
        Invoke-RestMethod –Uri $url –Headers $header –Method POST -ErrorAction Stop

    }
    catch {
        Write-Output "Exception.Message=$($_.Exception.Message); ScriptStackTrace=$($_.ScriptStackTrace); Exception.StackTrace=$($_.Exception.StackTrace); FullyQualifiedErrorId=$($_.FullyQualifiedErrorId); Exception.InnerException=$($_.Exception.InnerException)"
    }

}
Harbinder Singh
  • 141
  • 3
0

It seems that we can now use the Azure CLI in powershell. I can grant permission with a single command.

az ad app permission grant –id $appId –api $apiAppId –scope $scope

This worked on the Azure Cloud Shell where $appId, $apiAppId, and $scope are regular powershell variables.

The documentation for this command is here: https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az_ad_app_permission_grant

Note that $scope should be the Value property from the Oauth2Permission you are using.

alex
  • 756
  • 4
  • 12