I would like to give admin consent to API permissions through powershell script

1
votes

I have a code in Az module of powershell to create appID, app secret and assign API permission. How do I grant admin consent to all the API permissions that I assigned to the AzApp?

...
$context = Get-AzContext
$ResourceAppIdURI = "https://graph.windows.net/"
$token = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, $ResourceAppIdURI).AccessToken

$headers = @{ }
$headers.Add("Content-Type", "application/json")
$headers.Add("Accept", "application/json")
$headers.Add("Authorization", "Bearer $($token)")

$objectID = $myApp.ObjectId
$url = "https://graph.windows.net/$tenant/applications/{0}?api-version=1.6" -f $objectID
Write-Host "URL: " $url

$postData = "{`"requiredResourceAccess`":[
    {`"resourceAppId`":`"00000003-0000-0000-c000-000000000000`",
    `"resourceAccess`":[
        {`"id`":`"e1fe6dd8-ba31-4d61-89e7-88639da4683d`",`"type`":`"Scope`"},
        {`"id`":`"7ab1d382-f21e-4acd-a863-ba3e13f7da61`",`"type`":`"Role`"},
        {`"id`":`"5b567255-7703-4780-807c-7be8301ae99b`",`"type`":`"Role`"},
        {`"id`":`"e2a3a72e-5f79-4c64-b1b1-878b674786c9`",`"type`":`"Role`"},
        {`"id`":`"df021288-bdef-4463-88db-98f22de89214`",`"type`":`"Role`"}
        ]
    }]
}";
Invoke-RestMethod -Uri $url -Method "PATCH" -Headers $headers -Body $postData

Write-Host "App created..."
Write-Host "AppID: " $myApp.ApplicationId
Write-Host "App Secret: " $secret
Write-Host "TenantID: " $tenant.Id
2
azurepowershell
I suggest that you have a look at this guide: samcogan.com/…Daniel Björk
Hi Alva, did you have a chance to look into my answer? Is it helpful?Allen Wu
@AllenWu just 1 correction is that the resourceId is not fixed value. It's different for me.Alva
Ah…I'm sorry for the mistake. You are right. It's different for each tenant. Thank you for your correction. I have updated my answer. If my answer is helpful for you, you can accept it as answer. Thank you.Allen Wu
@AllenWu is there any way to fetch the resourceId through the powershell script itself rather than searching it from azure portal?Alva

2 Answers

2
votes

There is no API exposed by Microsoft to grant admin consent for Azure AD application / service principal. You can vote this post on User Voice.

There is a workaround:

Call Microsoft Graph API Create a delegated permission grant and Grant an appRoleAssignment to a service principal in Powershell.

A sample for your reference:

$context = Get-AzContext
$ResourceAppIdURI = "https://graph.windows.net/"
$ResourceGraphURI = "https://graph.microsoft.com/"
$token = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, $ResourceAppIdURI).AccessToken
$graphToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, $ResourceGraphURI).AccessToken


$clientID = "d154cc56-f1a2-4906-9f26-bfb4756f9c20"
$resourceID = "08a1faff-51c1-4cbb-81c4-1bc11286da76"
$scopes = "Sites.Read.All User.Read User.Read.All User.ReadBasic.All"


$body = @{
    clientId    = $clientID
    consentType = "AllPrincipals"
    principalId = $null
    resourceId  = $resourceID
    scope       = $scopes
    startTime   = "2019-10-19T10:37:00Z"
    expiryTime  = "2020-10-19T10:37:00Z"
}

$apiUrl = "https://graph.microsoft.com/beta/oauth2PermissionGrants"
Invoke-RestMethod -Uri $apiUrl -Headers @{Authorization = "Bearer $($graphToken)" }  -Method POST -Body $($body | convertto-json) -ContentType "application/json"

$principalId = "d154cc56-f1a2-4906-9f26-bfb4756f9c20"

$body1 = @{
    principalId    = $principalId
    resourceId = $resourceID
    appRoleId = "df021288-bdef-4463-88db-98f22de89214"
}

$apiUrl1 = "https://graph.microsoft.com/beta/servicePrincipals/$($principalId)/appRoleAssignedTo"
Invoke-RestMethod -Uri $apiUrl1 -Headers @{Authorization = "Bearer $($graphToken)" }  -Method POST -Body $($body1 | convertto-json) -ContentType "application/json"

For the first call https://graph.microsoft.com/beta/oauth2PermissionGrants:

clientID is the object id of the service principal (not Azure AD application), you can find it using Get-AzADServicePrincipal. You can also find it on Azure Portal - Azure Active Directory - Enterprise Applications, search for the name of your Azure AD application.

resouceID is the object id of Microsoft Graph service principal. You can find under Enterprise applications (search for "00000003-0000-0000-c000-000000000000").

scopes are the delegated permissions you want to grant admin consent.

For the second call https://graph.microsoft.com/beta/servicePrincipals/$($principalId)/appRoleAssignedTo:

principalId is the same as clientID mentioned above.

appRoleId is the application permission id.

0
votes

Actually, the Azure AD PowerShell module provides a cmdlet equivalent for Application Permissions : New-AzureADServiceAppRoleAssignment.

Even if it's poorly documented, the command adds the requested application permissions (and grant admin consent if you have the right to do so) to your AAD Application (through the service principal).

# If it's not the case, declare your AAD Application as a service principal (Enterprise Application)
$aadappsp = New-AzureADServicePrincipal -AppId "AAD_APPLICATION_ID"

# Id of the application permission (role)
$roleId = "2a8d57a5-4090-4a41-bf1c-3c621d2ccad3" # TermStore.Read.All

# Object Id of the concerned Service Principal (could be Graph or SharePoint for example)
# (Not the Application Id like "00000003-0000-0ff1-ce00-000000000000" for SharePoint)
$aadSpObjectId = "c30e8a24-ff90-464e-aed3-7c39a7bdc280"

# Register the application permission
New-AzureADServiceAppRoleAssignment -ObjectId $aadappsp.ObjectId -Id $roleId -PrincipalId $aadappsp.ObjectId -ResourceId $aadSpObjectId

It's using a dedicated endpoint, so don't be surprised if you have this display once the command correctly executed:

AAD Permissions

(permissions added through PowerShell appear as "Other permissions granted for...")

To avoid that, you have to first add them through interface or with New-AzureADApplication (to register the permissions as "configured") and New-AzureADServicePrincipal (to grant admin consent properly for your organization).

Sadly, there's no cmdlet for granting admin consent on Delegated Permissions, so the answer provided by @Allen Wu still works in this case (just update the URIs to use v1.0 version instead of beta).