I’m trying to create a script to ask for a tenancy admin credentials once and:
- create app
- set my account as owner
- create app secret
- add specific application (role, not delegate) API permissions like “User.Read.All” and “Device.Read.All”
- consent admin permissions automatically from the script
I managed to do most of these points using AzureAD module functions but I’m struggling with consent.
I’d like to avoid having to connect to several services and ideally I don’t want to have to type in my credentials multiple times.
Can someone help with this please?
Appreciate in advance.
C
some code:
#this is huge so I won't post all of it here
$allPermissions = @(
@{ PermissionName = "AccessReview.Read.All"; PermissionType = "Role"; PermissionId = "d07a8cc0-3d51-4b77-b3b0-32704d1f69fa" },
@{ PermissionName = "AccessReview.Read.All"; PermissionType = "Scope"; PermissionId = "ebfcd32b-babb-40f4-a14b-42706e83bd28" },
@{ PermissionName = "AccessReview.ReadWrite.All"; PermissionType = "Role"; PermissionId = "ef5f7d5c-338f-44b0-86c3-351f46c8bb5f" },
...
)
function Get-GraphPermissions
{
param (
[Parameter(Mandatory = $true, ParameterSetName = 'ByName')]
[string]$PermissionName,
[Parameter(Mandatory = $true, ParameterSetName = 'ById')]
[string]$PermissionId,
[Parameter(Mandatory = $false, ParameterSetName = 'ByName')]
[Parameter(Mandatory = $false, ParameterSetName = 'ById')]
[switch]$Role,
[Parameter(Mandatory = $false, ParameterSetName = 'ByName')]
[Parameter(Mandatory = $false, ParameterSetName = 'ById')]
[switch]$Scope
)
if ($PSCmdlet.ParameterSetName -eq 'ByName')
{
$tmp = $allPermissions | Where-Object { $_.PermissionName -eq $PermissionName }
}
if ($PSCmdlet.ParameterSetName -eq 'ById')
{
$tmp = $allPermissions | Where-Object { $_.PermissionId -eq $PermissionId }
}
if ( $Role.IsPresent )
{
return $tmp | Where-Object { $_.PermissionType -eq "Role" }
}
elseif ( $Scope.IsPresent )
{
return ($tmp | Where-Object { $_.PermissionType -eq "Scope" })
}
else
{
return $tmp
}
}
# Connect to Azure AD
$user = Connect-AzureAD
# Create app registration
$appName = "My Test App"
# create app with specific permissions
$myApp = New-AzureADApplication -DisplayName $appName
# create service principal
$newSP = New-AzureADServicePrincipal -AppId $myApp.AppId
# set owner
$admin = Get-AzureADUser -Filter "UserPrincipalName eq '$($user.Account.Id)'"
Add-AzureADApplicationOwner -ObjectId $myApp.ObjectId -RefObjectId $admin.ObjectId
$reqPermissions = @(
"Device.Read.All",
"User.Read.All"
)
$allPermissionIds = $reqPermissions | ForEach-Object { (Get-GraphPermissions -PermissionName $_ -Role).PermissionId }
# add required permissions
$req = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$req.ResourceAppId = "00000003-0000-0000-c000-000000000000"
$req.ResourceAccess += $reqPermissions | ForEach-Object { New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList ((Get-GraphPermissions -PermissionName $_ -Role).PermissionId,"Role") }
Set-AzureADApplication -ObjectId $myApp.ObjectId -RequiredResourceAccess $req
# grant admin consent to the app for these API permissions?