Previously, I have written about creating an Azure AD App registration using the Microsoft Graph API and PowerShell. But since then, the beta endpoint for creating app registrations had stopped working as reported in this GitHub issue: https://github.com/microsoftgraph/microsoft-graph-docs/issues/1365
Fortunately, I have recently discovered a great way to create Azure AD App Registrations using the Azure CLI 2.0. This also includes adding any permissions the app requires on resources e.g. Microsoft Graph, Office 365 SharePoint Online etc. This has not been previously possible with the Azure AD PowerShell Cmdlets.
So in this post, let's go through what is needed to achieve this:
First, you need to have the Azure CLI 2.0 installed on your machine. Follow this link to get it if you haven't already:
Once you have the CLI, here is the code to create an Azure AD App Registration including the required permissions:
The JSON in the requiredResourceManifest.json file can be fetched from the manifest of an App registration already created in Azure AD. So the recommendation would be to manually create an App Registration in Azure AD and configure the required permissions. Once you have the right set of permissions, edit the manifest and grab the JSON from the requiredResourceAccess array.
Trusting the App:
Update (5th April 2019):
The Azure CLI now has a command to grant the app permissions on behalf of the admin as well
az ad app permission admin-consent --id [--subscription]
If you still want to use the portal to grant the permissions you can do so as an Admin by going to the app and clicking on the "Grant Permissions" button:
For more possibilities with the Azure CLI 2.0, checkout the reference: https://docs.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest
Your blog post is really helpful.
Could you explain more on what is expected for uniqueGUID and executingScriptDirectory please.
If I already created an new webapp service where can I get those parameters from?
Nice article mate. Very helpful.
Recently I noticed that there is a command for admin consent - https://docs.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-admin-consent
Example usage might be
$appId = $(az ad app list --display-name $azureADAppDisplayName --query .appId -o tsv);
az ad app permission admin-consent --id $appId;
Post a Comment