-
Notifications
You must be signed in to change notification settings - Fork 0
/
AppRegistration.azcli
45 lines (29 loc) · 1.99 KB
/
AppRegistration.azcli
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# login
az login
#View All API Permissions Microsoft Graph to see what is available
$Permissions = az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" | ConvertFrom-Json
#to see all permissions
$Permissions.appRoles | Select-Object -Property value,allowedMemberTypes,description
# Get select permission from list above and id to use in next command
$Permissions.appRoles | Select-Object -Property value,allowedMemberTypes,id,description | Where-Object {$_.value -eq "User.Read.All"}
# Create service principal
az ad app create --display-name "Alit-GraphAPI"
# Graph API App ID: from output
# Reset app secret to get new secret
az ad app credential reset --id 13d15b6f-94ad-4df4-a88d-72f355e5f92d
# Graph API App Secret: from output
# set secret to 3 years
#az ad app credential reset --id 13d15b6f-94ad-4df4-a88d-72f355e5f92d --years 3
# Add Microsoft Graph application permission user.read.all # Guide https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest
az ad app permission add --id 13d15b6f-94ad-4df4-a88d-72f355e5f92d --api 00000003-0000-0000-c000-000000000000 --api-permissions df021288-bdef-4463-88db-98f22de89214=Role
# Grant admin consent #this needs to be done by a global admin
az ad app permission admin-consent --id 13d15b6f-94ad-4df4-a88d-72f355e5f92d
# Get app id and secret if we forgot
az ad app list --query "[?displayName=='Alit-GraphAPI'].{id:appId,secret:passwordCredentials[0].value}"
#get app api permissions
az ad app permission list --id 13d15b6f-94ad-4df4-a88d-72f355e5f92d --output json
# References:
# https://www.nielskok.tech/azure-ad/view-all-api-permissions-microsoft-graph/
# https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal
# https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-authenticate-service-principal-cli
# https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps