3

I'm trying to rewrite powershell script that creates Azure AD application and assigns permission to it. The script is using AzureAD module, I would like to use new Az module, so I can run it on Linux/MacOS.

Creating a new application is easy (New-AzADApplication) but I have a problem with permissions.

Old script is using this code to assign permissions:

#=============Graph Permissions========================
$req = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$acc1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "df021288-bdef-4463-88db-98f22de89214","Role"

$req.ResourceAccess = $acc1
$req.ResourceAppId = "00000003-0000-0000-c000-000000000000" #Microsoft Graph   

Set-AzureADApplication -ObjectId $AppObjectId  -RequiredResourceAccess $req

But this will not work on Linux/MacOS. Is there any way to do this? If not from powershell than maybe using some other method? The main goal is to run it from Linux.

paulpb
  • 33
  • 1
  • 6
  • The script you share does not actually grant permissions, is just marks permissions as required. Do you also need to grant the permissions in the tenant? – Philippe Signoret Mar 27 '19 at 22:47
  • @PhilippeSignoret Indeed I need, but this is already solved using admin consent through a URL request - https://learn.microsoft.com/bs-latn-ba/azure/active-directory/manage-apps/configure-user-consent – paulpb Mar 28 '19 at 09:51

1 Answers1

1

The Azure CLI is easy to get started with and best used for Microsoft's cross-platform command-line experience for managing Azure resources on macOS, Linux, or Windows and run it from the command line.

Your case

In your case you could try with Following CLI command for application permission:

az ad app permission add --api --api-permissions --id [--subscription]

For example

See add a Graph API permission of "Sign in and read user profile" command below:

az ad app permission add --id eeba0b46-78e5-4a1a-a1aa-cafe6c123456 --api 00000002-0000-0000-c000-000000000000 --api-permissions 311a71cc-e848-46a1-bdf8-97ff7156d8e6=Scope

Required Parameters

Following parameters required for this permission

--api

The target API to access.

--api-permissions

Space seperated list of =.

--id

Identifier uri, application id, or object id.

For more details CLI command you also could refer here

Note :

To executes above command you must need to install the CLI locally, run it in the browser with Azure Cloud Shell, or run in a Docker container. For installation reference you could see here

Powershell Command

You could find details steps here

I hope this would be helpful what you expected to do. Let's try it out. Thank you!

Md Farid Uddin Kiron
  • 16,817
  • 3
  • 17
  • 43
  • @paulpb According to your case you can try it out. Let me know if you have any more query regarding your problem. – Md Farid Uddin Kiron Mar 28 '19 at 01:48
  • Hi, your answer was very helpful. Docker with Azure Cloud Shell looks like the best solution. I'm going to try it right now! – paulpb Mar 28 '19 at 09:03
  • I did, but due to my low reputation, my votes are not displayed. – paulpb Mar 28 '19 at 09:47
  • This answer is copy-pasted from the API reference. But what's still missing is where to find the guid (311a71cc...) mapping to "Sign in and read user profile"? – Nikolai Koudelia May 03 '19 at 11:17
  • 1
    @Nikolai Koudelia Right you are, We always try to refer our official document towards the user as I also specified the API reference here. What happens usually, sometimes its tough to find exact resource when need if the document has the exact fix its better to refer them I did the same. Thanks for your comment. – Md Farid Uddin Kiron May 03 '19 at 14:49
  • @MdFaridUddinKiron When I try to use your example `az ad app permission add --id [my ID here] --api 00000002-0000-0000-c000-000000000000 --api-permissions 311a71cc-e848-46a1-bdf8-97ff7156d8e6=Scope`, it returns `Updates to converged applications are not allowed in this version.` Any idea what's going on here? I still can't figure out how to add permissions via the command line. – Eric Hansen Jul 03 '19 at 17:41
  • @EricHansen What role are you belong to or your tenant has this permission to execute? – Md Farid Uddin Kiron Jul 04 '19 at 02:13
  • For the error “Updates to converged applications are not allowed in this version”, I did a test in my environment but cannot reproduce the error. It seems related to the application type. Could you please share more information about how did you created the app? Did you add it from App registration ? Is this a custom-developed application ? – Md Farid Uddin Kiron Jul 04 '19 at 07:37
  • @MdFaridUddinKiron It's in my personal account. I'm the supreme overlord. I created the app registration in the portal. The app registration is as simple as possible. I simply gave it a name and created it. – Eric Hansen Jul 05 '19 at 15:58
  • So this is not possible with Az PowerShell, as OP requested? – James Love May 04 '20 at 11:36
  • Hello I have updated the answer. Please have look and let me know. Thanks. – Md Farid Uddin Kiron May 04 '20 at 16:05
  • @NikolaiKoudelia I know it is late for you but others like me might find my answer useful. I was also looking how to find guid mappings. They can be get with the command `az ad sp show --id `. For example Azure Active Directory Graph: `az ad sp show --id 00000002-0000-0000-c000-000000000000`. Source: https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az_ad_app_permission_add – xalien Aug 24 '21 at 11:47