Powershell – Do “Grant Permissions” action on Azure AD Application with Powershell

Question 1

I’m creating an Azure AD application using AzureAD module to call Microsoft Graph API. I can successfully generate the access token. But, when I try to call the API I have an error “message”: “Invalid scope claims/roles.”.

When I click on “Grant Permissions” button in my created application in Azure Portal and retry the call to API, the call is working.

I don’t find anywhere how to do this “Grant Permissions” actions with Powershell. Is there a way to do that ?

Thanks

Damien

Question 2

There is an easy way to do this (as admin), it requires you have the AzureAD and AzureRM modules installed for Powershell and is not supported by Microsoft.

Original post / reference to my blog is here: http://www.lieben.nu/liebensraum/2018/04/how-to-grant-oauth2-permissions-to-an-azure-ad-application-using-powershell-unattended-silently/

The specific code sample that should help you accomplish this:

Function Grant-OAuth2PermissionsToApp{
Param(
    [Parameter(Mandatory=$true)]$Username, #global administrator username
    [Parameter(Mandatory=$true)]$Password, #global administrator password
    [Parameter(Mandatory=$true)]$azureAppId #application ID of the azure application you wish to admin-consent to
)

$secpasswd = ConvertTo-SecureString $Password -AsPlainText -Force
$mycreds = New-Object System.Management.Automation.PSCredential ($Username, $secpasswd)
$res = login-azurermaccount -Credential $mycreds
$context = Get-AzureRmContext
$tenantId = $context.Tenant.Id
$refreshToken = @($context.TokenCache.ReadItems() | where {$_.tenantId -eq $tenantId -and $_.ExpiresOn -gt (Get-Date)})[0].RefreshToken
$body = "grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6"
$apiToken = Invoke-RestMethod "https://login.windows.net/$tenantId/oauth2/token" -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded'
$header = @{
'Authorization' = 'Bearer ' + $apiToken.access_token
'X-Requested-With'= 'XMLHttpRequest'
'x-ms-client-request-id'= [guid]::NewGuid()
'x-ms-correlation-id' = [guid]::NewGuid()}
$url = "https://main.iam.ad.ext.azure.com/api/RegisteredApplications/$azureAppId/Consent?onBehalfOfAll=true"
Invoke-RestMethod -Uri $url -Headers $header -Method POST -ErrorAction Stop
}

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

Function Grant-OAuth2PermissionsToApp{

Param(

[Parameter(Mandatory=$true)]$Username, #global administrator username

[Parameter(Mandatory=$true)]$Password, #global administrator password

[Parameter(Mandatory=$true)]$azureAppId #application ID of the azure application you wish to admin-consent to

)

$secpasswd = ConvertTo-SecureString $Password -AsPlainText -Force

$mycreds = New-Object System.Management.Automation.PSCredential ($Username, $secpasswd)

$res = login-azurermaccount -Credential $mycreds

$context = Get-AzureRmContext

$tenantId = $context.Tenant.Id

$refreshToken = @($context.TokenCache.ReadItems() | where {$_.tenantId -eq $tenantId -and $_.ExpiresOn -gt (Get-Date)})[0].RefreshToken

$body = "grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6"

$apiToken = Invoke-RestMethod "https://login.windows.net/$tenantId/oauth2/token" -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded'

$header = @{

'Authorization' = 'Bearer ' + $apiToken.access_token

'X-Requested-With'= 'XMLHttpRequest'

'x-ms-client-request-id'= [guid]::NewGuid()

'x-ms-correlation-id' = [guid]::NewGuid()}

$url = "https://main.iam.ad.ext.azure.com/api/RegisteredApplications/$azureAppId/Consent?onBehalfOfAll=true"

Invoke-RestMethod -Uri $url -Headers $header -Method POST -ErrorAction Stop

}

Powershell – Do “Grant Permissions” action on Azure AD Application with Powershell

Question:

Answer:

Source:

Powershell – Do “Grant Permissions” action on Azure AD Application with Powershell by stackoverflow.com licensed under CC BY-SA | With most appropriate answer!

Leave a Reply Cancel reply