Adding Scopes to Azure AD Application with Powershell (Expose an API)

Question

I'd like to add a Scope to an Azure AD App / Service Principal (UI=Expose an API) with Powershell.

$app = New-MgApplication -DisplayName $name -SignInAudience "AzureADMyOrg"
Update-MgApplication -ApplicationId $app.id -IdentifierUris @("api://$($app.AppId)")

$oauth_permission_scopes = @{
        AdminConsentDescription = "admin desc"
        AdminConsentDisplayName = "admin name"
        Type = "Admin"
        Value = "Read.all"
        Id = $([guid]::NewGuid())
    }
$sp = New-MgServicePrincipal -AppId $app.AppId -Notes $description -Tags @("HideApp","WindowsAzureActiveDirectoryIntegratedApp")  #HideApp=VisibleToUsers
Update-MgServicePrincipal -ServicePrincipalId $sp.Id -Oauth2PermissionScopes $oauth_permission_scopes

But i get the message:

Update-MgServicePrincipal_UpdateExpanded1: Property 'oauth2PermissionScopes' is read-only and cannot be set.

Can this only be added in the UI?!

I don't have one to test with at the moment, but based on the `Update-MgServicePrincipal` help page, you may need to go up one level and update the `-Api` object like the accepted answer here: https://stackoverflow.com/a/74778773/7411885 — Cpt.Whale, Jan 13 '23 at 21:01
Hi Cpt.Whale, this perfectly answered my question. I’ve read the help page, but I didn’t understand the part “For more information see the oauth2PermissionScopes property on the application entity's api property.“. Now I get it! Thanks — Bridystone, Jan 14 '23 at 06:32

score 2 · Accepted Answer · answered Jan 14 '23 at 05:03

I tried to reproduce the same in my environment and got below results:

I ran the same code as you to add scopes and got same error as below:

enter image description here

When I checked the same in Portal, application is created but scope not added like below:

enter image description here

To add scope to Azure AD Application with PowerShell (Expose an API), you need to modify your script as suggested by Cpt.Whale like this:

$api = @{
    oauth2PermissionScopes = @(
        @{
        AdminConsentDescription = "admin desc"
        AdminConsentDisplayName = "admin name"
        Type = "Admin"
        Value = "Read.all"
        Id = $([guid]::NewGuid())
    }
    )
}

Update-MgApplication -ApplicationId $app.id -Api $api

Response:

enter image description here

When I checked the same in Portal, scope added successfully in Expose an API tab of Azure AD application as below:

enter image description here

Hi Sridevi, thanks for your confirmation. I was too stuck on the wrong object - since it was not marked as read only in the documentation. — Bridystone, Jan 14 '23 at 06:36

Adding Scopes to Azure AD Application with Powershell (Expose an API)

1 Answers1