How to grant admin consent to an Azure AAD app in Powershell?

2
votes

I'm trying to authenticate an Azure Web App using Azure Active directory. I have taken the following steps, so far:

1- Through Azure portal, I have created an app registration in AAD, and assigned it to the web app following the instructions from here.

2- I assigned some users to my app using New-AzureADGroupAppRoleAssignment cmdlet, and then set user assignment as a requirement, using set-AzureADServicePrincipal -AppRoleAssignmentRequired $true

This works as expected: the users who are not assigned to the app, see an "access denied" page, and the ones who are, see a prompt page for "Admin consent".

The problem is there is no links in the admin consent prompt for them to request it. I tried to follow the instructions from here, but I don't have access to the AAD through the portal. I can only do this through Powershell.

If you know of the Powershell cmdlet for setting this link (or to change the admin consent to user consent), I would be grateful if you could post it here.

3
azurepowershellauthenticationactive-directory

3 Answers

3
votes

There is no command to grant admin consent in PowerShell currently, in your case, if you can access Azure AD with powershell, I think you can also access it via Azure CLI.

So my workaround is to use az ad app permission admin-consent in Azure CLI, it is an equivalent of the admin consent button in the portal.

Make sure you have installed the Azure CLI, use az login to login the user account or service principal which is the admin in your AAD tenant, then run the command below.

az ad app permission admin-consent --id <application-id>
2
votes

You have two choices. Admin consent can be granted if you have global admin permission via the portal or the AZ cli. The easiest way is via the portal. Just go to AAD, app registrations, then find your app. Go to the permissions blade. You should see a consent button. I don’t remember the AZ cli command off the top of my head, but it’s probably easier to just do it in the portal.

2
votes

After trying to get this to work with a Service Principal, which it turns out isn't possible as this can only be executed by a User account az ad app permission admin-consent --id <application-id> will be depricated in a future release as discussed on this Issue thread:

https://github.com/Azure/azure-cli/issues/12137

The advised way to grant admin consent to API's is now:

az ad app permission grant --id 46eb4122-bd2b-4f54-af7b-6d79b46ee31a 
                           --api 00000003-0000-0000-c000-000000000000
                           --scope "Directory.Read.All Directory.ReadWrite.All"

Microsoft Docs: az ad app permission grant