How do I add required permissions to an Azure Active Directory (AAD) application using the Azure PowerShell SDK?
Question
In my scenario, I'm attempting to automate creation of one of my AAD applications in order for it to make calls to another another WebAPI service (different AAD app) using the instructions laid out for Daemon processes here:
https://azure.microsoft.com/en-us/resources/samples/active-directory-dotnet-daemon/
I've been able to automate creation of the AAD application and the required access key via PowerShell.
Here's how I create the application with the key added:
# Generate all the keys (secrets) for the AAD application.
$passwordCredentials = @()
foreach ($key in $activeDirectoryApplication.Keys.Key)
{
$keyKeyVaultName = $key.KeyVaultName
$keyName = $key.KeyVaultKeyName
$expiration = $key.Expiration
LogInfo "Generating key with key name '$keyName' into key vault '$keyKeyVaultName' with key expiry of '$expiration'."
$passwordCredential = GenerateActiveDirectoryApplicationKeyPasswordCredential $key
$passwordCredentials += $passwordCredential
PublishActiveDirectoryApplicationKeyToKeyVault $key $passwordCredential
}
$existingApplication = New-AzureRmADApplication -DisplayName $applicationName -HomePage $applicationHomePage -IdentifierUris @($applicationIdentifier) -PasswordCredentials $passwordCredentials
What I can't figure out is how to automate step 8 in the above link where it grants permissions to access the WebAPI application:
- Configure Permissions for your application - in the Settings menu, choose the 'Required permissions' section, click on Add, then Select an API, and type 'TodoListService' in the textbox. Then, click on Select Permissions and select 'Access TodoListService'.
Does anyone know if this is possible with the Azure PowerShell SDK or do I need to do it some other way (maybe the AAD Graph API)?
Thanks!
1 answers
solution1
0 ACCPTED 2017-06-17 05:19:03
To assign permissions you would need to use New-AzureRmRoleAssignment . That will allow you to assign permissions to an object (user\\group\\application) at a certain scope. if you need built-in role you are good to go. if you need to create a role use New-AzureRmRoleDefinition .
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "Classic storage reader"
$role.Actions.Clear()
$role.Actions.Add("Microsoft.ClassicStorage/storageAccounts/read")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/xxxx")
New-AzureRmRoleDefinition -Role $role
Reading:
https://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-manage-access-powershell
https://docs.microsoft.com/en-us/powershell/module/azurerm.resources/new-azurermroleassignment?view=azurermps-4.1.0
https://docs.microsoft.com/en-us/powershell/module/azurerm.resources/new-azurermroledefinition?view=azurermps-4.1.0
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.