[英]how to give grant Permissions for an app in azure ad using powershell
trying to automate the azure app registration process using powershell
need some help for giving grant permission for an app after assigning api permissions using powershell can anyone help me on this.
and is there any better way to automate azure app reg process other than powershell?
Try this: Login-AzureRmAccount
function get-azureRMToken() {
<#
.Synopsis
This function gets the access token for the use
#>
try {
$context = Get-AzureRmContext
$tenantId = $context.Tenant.Id
$refreshToken = @($context.TokenCache.ReadItems() | where {$_.tenantId -eq $tenantId -and $_.ExpiresOn -gt (Get-Date)})[0].RefreshToken
$body = "grant_type=refresh_token&refresh_token=$($refreshToken)&resource=74658136-14ec-4630-ad9b-26e160ff0fc6"
$apiToken = Invoke-RestMethod "https://login.windows.net/$tenantId/oauth2/token" -Method POST -Body $body -ContentType 'application/x-www-form-urlencoded'
return $apiToken.access_token
}
catch {
Write-Output "Exception.Message=$($_.Exception.Message); ScriptStackTrace=$($_.ScriptStackTrace); Exception.StackTrace=$($_.Exception.StackTrace); FullyQualifiedErrorId=$($_.FullyQualifiedErrorId); Exception.InnerException=$($_.Exception.InnerException)"
}
}
function grant-aap-required-permission() {
<#
.Synopsis
This function invoke azure rest to grant permission.
#>
Param(
[Parameter(Mandatory = $true)]$azureAppId
)
try {
$token = get-azureRMToken
$header = @{
'Authorization' = 'Bearer ' + $token
'X-Requested-With' = 'XMLHttpRequest'
'x-ms-client-request-id' = [guid]::NewGuid()
'x-ms-correlation-id' = [guid]::NewGuid()
}
$url = "https://main.iam.ad.ext.azure.com/api/RegisteredApplications/$azureAppId/Consent?onBehalfOfAll=true"
Invoke-RestMethod –Uri $url –Headers $header –Method POST -ErrorAction Stop
}
catch {
Write-Output "Exception.Message=$($_.Exception.Message); ScriptStackTrace=$($_.ScriptStackTrace); Exception.StackTrace=$($_.Exception.StackTrace); FullyQualifiedErrorId=$($_.FullyQualifiedErrorId); Exception.InnerException=$($_.Exception.InnerException)"
}
}
It seems that we can now use the Azure CLI in powershell. I can grant permission with a single command.
az ad app permission grant –id $appId –api $apiAppId –scope $scope
This worked on the Azure Cloud Shell where $appId, $apiAppId, and $scope are regular powershell variables.
The documentation for this command is here: https://docs.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az_ad_app_permission_grant
Note that $scope should be the Value
property from the Oauth2Permission
you are using.
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.