Azure AD App Registration for Multi tenant and Personal accounts using powershell

0
votes

Is there anyway to achieve creating Azure AD App Registration for Multi tenant and Personal accounts using powershell. Nothing in this document helps me do that https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadapplication?view=azureadps-2.0

2
azurepowershellazure-active-directoryazure-powershell

2 Answers

2
votes

Yes, as mentioned by Allen, AD App type property is managed by -SignInAudience parameter, but when you use New-AzureADApplication with -SignInAudience, it will give an error Property 'signInAudience' is read-only and cannot be set, as New-AzureADApplication essentially calls the old Azure AD Graph.

To solve the issue, you could call the Microsoft Graph - Create application manually in powershell as mentioned by Allen, you could also this new command New-AzureADMSApplication , it calls the Microsoft Graph directly.

Make sure your AzureAD powershell module is not too old, then use the command below.

New-AzureADMSApplication -DisplayName "joytest678" -SignInAudience "AzureADandPersonalMicrosoftAccount"

enter image description here

Check in the portal:

enter image description here

1
votes

The AAD app type property should be -SignInAudience. But it's read-only in AAD PowerShell.

So the workaround is to call Microsoft Graph to modify this property.

A sample for your reference (Modify {client_id}, {client_secret} and {tenant_id} to yours, and give Application.ReadWrite.All application permission to your app registration as per Update application permissions):

Connect-AzureAD

$App = New-AzureADApplication -DisplayName "PSMultiApp02"

$boundary = [System.Guid]::NewGuid().ToString(); 
$LF = "`r`n";

$bodyLines = ( 
    "--$boundary",
    "Content-Disposition: form-data; name=`"grant_type`"$LF",
    "client_credentials$LF",
    "--$boundary",
    "Content-Disposition: form-data; name=`"client_id`"$LF",
    "{client_id}$LF",
    "--$boundary",
    "Content-Disposition: form-data; name=`"scope`"$LF",
    "https://graph.microsoft.com/.default$LF",
    "--$boundary",
    "Content-Disposition: form-data; name=`"client_secret`"$LF",
    "{client_secret}$LF",
    "--$boundary--$LF" 
) -join $LF

$AuthTokenRequestHeaders = @{
    "Cache-Control" = "no-cache"
}

$AuthTokenResponse = Invoke-RestMethod 'https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token' -Method 'POST' -ContentType "multipart/form-data; boundary=`"$boundary`"" -Body $bodyLines -Headers $AuthTokenRequestHeaders

$authToken = $AuthTokenResponse.access_token

$headers = @{ }
$headers.Add("Content-Type", "application/json")
$headers.Add("Authorization", "Bearer $($authToken)")

$postData = "{
    `"signInAudience`":`"AzureADandPersonalMicrosoftAccount`",
    `"api`":{`"requestedAccessTokenVersion`": 2}
}";

$requestURI = "https://graph.microsoft.com/v1.0/applications/$($App.ObjectId)"

$Result = Invoke-RestMethod -Uri $requestURI -Method PATCH -Headers $headers -Body $postData