使用 Azure 云 Shell 部署 ps1 脚本时出现“预期一元运算符”错误

Question

I have a powershell script that creates an Azure App Registration and Service Principal and gives it permissions in a Management Group. A majority of it functions properly; the issue i'm having with the script is granting admin consent to the permissions granted to the application registration.

In the script below you'll notice i'll attempt by calling to the api via an az rest command but this returns a unary operator expected '--' . Has anyone had any luck with using the az cli in Azure Cloud Shell and programmatically granting admin consent on app registrations?

#!/usr/local/bin/pwsh
# This powershell script creates an app registration and assigns it the owner role to a management group

# Command used to run script ./test-appregistration.ps1 -ManagementGroupName <Management Group Name> -AppRegistrationName <App Name> -ReplyURL <Redirect URL>

# Input Variable(s)
param(
  [Parameter(Mandatory = $true)]
  [string] $ManagementGroupName,
  [Parameter(Mandatory = $true)]
  [string] $AppRegistrationName,
  [Parameter(Mandatory = $true)]
  [string] $ReplyURL
)

### Permission endpoints in the $permissions array variable
# UserRead = "06da0dbc-49e2-44d2-8312-53f166ab848a=Scope"
# DirectoryReadAll = "e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope"
# UserReadAll = "62a82d76-70ea-41e2-9197-370581804d09=Role"
# GroupsReadWriteAll = "df021288-bdef-4463-88db-98f22de89214=Role"

# Variables
$MSGraphId = "00000003-0000-0000-c000-000000000000"
$permissions = @("06da0dbc-49e2-44d2-8312-53f166ab848a=Scope", "e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope", "62a82d76-70ea-41e2-9197-370581804d09=Role", "df021288-bdef-4463-88db-98f22de89214=Role")

# Confirming AZ CLI is installed on localhost
Write-Host "Verifying AZ CLI is installed..."
$azcli = az version --query '\"azure-cli\"'

if ($null -eq $azcli) {
  throw "Azure CLI not installed. Please install the Azure CLI and try again"
  Write-Host "AZ CLI not installed; aborting script execution."
  Exit    
}
else {
  Write-Host "Azure CLI version $azcli is installed on localhost; moving forward with script execution"
}
Start-Sleep -s 3

# Check if logged into Azure
$azContext = az account show --query '[environmentName,tenantId,user.name]' -o tsv 2>&1
if ($azContext -match "ERROR: Please run 'az login' to setup account.") {
  Write-Host "Logging into Azure"
  az login
}
else {
  Write-Host "You are already logged in, your current context is $azContext"
}

#Create Client Secret
$pwArr = "!?@#$%^&*0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz".tochararray() 
$Password = ($pwArr | Get-Random -Count 20) -Join ''

# App Registration Creation
$appId = az ad app create --display-name $AppRegistrationName --reply-urls $ReplyURL --password $Password --credential-description "CT Secret" --end-date '2299-12-12' --query "appId" -o tsv
Write-Host "App Registration $AppRegistrationName created with Client Id $appId"
Start-Sleep -s 10

# Create a Service Principal for the App Registration
$appSP = az ad sp create --id $appId --query "objectId" -o tsv
Write-Host "Service principal for App Registration $AppRegistrationName created with ID $appSP."

az role assignment create --role "User Access Administrator" --assignee-object-id $appSP
az ad app permission grant --id $appId --api $MSGraphId --debug

# Add API Permissions to App Registration
foreach ($permission in $permissions) {
  az ad app permission add --id $appId --api $MSGraphId --api-permissions $permission
}
Write-Host "Microsoft Graph Permissions with Id $MSGraphId added to App Registration"
Start-Sleep -s 10

foreach($permission in $permissions){ 

  az rest --method POST --uri https://graph.microsoft.com/beta/servicePrincipals/$MSGraphId/appRoleAssignments --header Content-Type=application/json --body '{
          "principalId": $appSP,
          "resourceId": $MSGraphId,
          "appRoleId": $permissions
        }' 
}

# Retrieve Object Id from Service Principal
$spId = az ad sp show --id $appId --query "objectId" -o tsv
Write-Host "$AppRegistrationName Service Principal Object Id is $spId"
Start-Sleep -s 5

# Gets Management Group and assigns the Service Principal the Owner role on Management Group
az role assignment create --role "Owner" --assignee-object-id $spId --scope "/providers/Microsoft.Management/managementGroups/$ManagementGroupName"
Write-Host "$AppRegistrationName assigned Owner permissions to Management Group $ManagementGroupName"
Start-Sleep -s 5

# Gets Required Output from Script
Write-Output `n "Domain name(s) for Azure AD Tenant is/are $domain"
Write-Output `n "App Registration Client Id = $appId" 
Write-Output `n "Client Secret of App Registration = $Password"

Answer 1

If you want to complete Azure AD admin consent with Azure CLI, you can use the command az ad app permission admin-consent . For more details, please refer to here .

For example

# Variables
$MSGraphId = "00000003-0000-0000-c000-000000000000"
$permissions = @("06da0dbc-49e2-44d2-8312-53f166ab848a=Scope", "e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope", "62a82d76-70ea-41e2-9197-370581804d09=Role", "df021288-bdef-4463-88db-98f22de89214=Role")

# Confirming AZ CLI is installed on localhost
Write-Host "Verifying AZ CLI is installed..."
$azcli = az version --query '\"azure-cli\"'

if ($null -eq $azcli) {
  throw "Azure CLI not installed. Please install the Azure CLI and try again"
  Write-Host "AZ CLI not installed; aborting script execution."
  Exit    
}
else {
  Write-Host "Azure CLI version $azcli is installed on localhost; moving forward with script execution"
}
Start-Sleep -s 3

# Check if logged into Azure
$azContext = az account show --query '[environmentName,tenantId,user.name]' -o tsv 2>&1
if ($azContext -match "ERROR: Please run 'az login' to setup account.") {
  Write-Host "Logging into Azure"
  az login
}
else {
  Write-Host "You are already logged in, your current context is $azContext"
}

#Create Client Secret
$pwArr = "!?@#$%^&*0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz".tochararray() 
$Password = ($pwArr | Get-Random -Count 20) -Join ''

$AppRegistrationName="testapp458"
$ReplyURL="http://localhost"
# App Registration Creation
$appId = az ad app create --display-name $AppRegistrationName --reply-urls $ReplyURL --password $Password --credential-description "CT Secret" --end-date '2299-12-12' --query "appId" -o tsv
Write-Host "App Registration $AppRegistrationName created with Client Id $appId"
Start-Sleep -s 10

# Create a Service Principal for the App Registration
$appSP = az ad sp create --id $appId --query "objectId" -o tsv
Write-Host "Service principal for App Registration $AppRegistrationName created with ID $appSP."

az role assignment create --role "User Access Administrator" --assignee-object-id $appSP
az ad app permission grant --id $appId --api $MSGraphId 

# Add API Permissions to App Registration
foreach ($permission in $permissions) {
  az ad app permission add --id $appId --api $MSGraphId --api-permissions $permission
}
Write-Host "Microsoft Graph Permissions with Id $MSGraphId added to App Registration"
Start-Sleep -s 10

az ad app permission admin-consent --id $appId