将 Azure AD Microsoft Graph API 权限添加到 B2C 应用程序

Question

I am using the following Az Cli command to create an Azure AD B2C application:

az ad app create --display-name 'mytestapplication'

What I'd then also like to do in the process is grant some permissions, as per the Azure AD Microsoft Graph API permissions list. Below are two such examples of the permissions I'd like to grant. I'm however struggling to find any Az Cli examples or references that can enable me achieve this. Any suggestions?

User.ReadWrite.All
Application.ReadWrite.All

Answer 1

In order to grant a specific permission for an app registration , you need to pass those permissions in manifest.json file with a particular scope.

You can use the below cmdlet to create a app registration & to assign the specific azure-ad-microsoft-graph-api-permissions for that app registration.

az login -tenant  [myb2ctenant.onmicrosoft.com](http://myb2ctenant.onmicrosoft.com/)  --allow-no-subscriptions (this cmd helped me to login to B2C without subscription)

az ad app create --display-name 'mytestapplication' --required-resource-accesses @manifest.json

manifest.json file:

{
"requiredResourceAccess": [
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",
            "resourceAccess": [
                {
                    "id": "204e0828-b5ca-4ad8-b9f3-f32a958e7cc4"(# for Application.ReadWrite.All),
                    "type": "Scope"
                },
                {
                    "id": "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9(# for User.ReadWrite.All)",
                    "type": "Role"
                }
            ]
        }
    ]
}

Here is the output screenshot for reference:

For more information about app registration creation & Assigning permissions for a native app registration cmdlets you can refer this documentation.