How to configure a new Azure AD application through Powershell?

Question:

I am creating a new Azure AD application through Powershell. I have successfully created the application and assigned a client_secret with the following PowerShell command:

$app = New-AzureRmADApplication -DisplayName "PowerShell-Test-POC2" -HomePage "http://www.microsoft.com" -IdentifierUris "http://kcuraonedrive.onmicrosoft.com/PowerShell-Test-POC2" -AvailableToOtherTenants $true

My question is how do I go about configuring this newly created application through Powershell, (i.e. Required permissions and Reply URLs)?

Answer:

I would suggest to rather use the new Azure AD v2 cmdlets: https://learn.microsoft.com/en-us/powershell/azuread/v2/azureactivedirectory.

They are more versatile than the ARM ones, and allow you to specify things like keys, reply URLs more easily.

For example, to add reply URLs:

To add a required permission, you have to find out a couple things. The service principal on which the permissions are defined, you will need its appId. (I found the Microsoft Graph API principal from my tenant) Then you need to find the appRole or oauth2Permission that you want to require. You will need its id.

Then to add a delegated permission:

The ResourceAppId is the appId of the service principal for the Microsoft Graph API. The ResourceAccess object in this case contains two requirements. First one holds the id of the oauth2Permission I want to require, as well as specifying that it is a delegated permission. The second contains an app permission, the id is the object id of the appRole.

Scope = Delegated permission

Role = Application permission

To find the service principal you need, you can run:

Then get the principal and list out delegated permissions:

Or if you need an app permission:

The Id is the important one.

For scripts the nice thing is that the application id for MS services is always same. The permission ids are also same in all tenants. So for example:

  • Microsoft Graph API
    • AppId: 00000003-0000-0000-c000-000000000000
  • Azure AD Graph API
    • AppId: 00000002-0000-0000-c000-000000000000

Source:

How to configure a new Azure AD application through Powershell? by licensed under CC BY-SA | With most appropriate answer!

Leave a Reply