stackoom
  简体   繁体   中英

Azure AD App Registration for Multi tenant and Personal accounts using powershell

 原文  2021-04-03 04:17:15       azure/ powershell/ azure-active-directory/ azure-powershell

Question

Is there anyway to achieve creating Azure AD App Registration for Multi tenant and Personal accounts using powershell. Nothing in this document helps me do that https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadapplication?view=azureadps-2.0

2 answers

solution1
 2 ACCPTED  2021-04-05 04:12:29

Yes, as mentioned by Allen, AD App type property is managed by -SignInAudience parameter, but when you use New-AzureADApplication with -SignInAudience , it will give an error Property 'signInAudience' is read-only and cannot be set , as New-AzureADApplication essentially calls the old Azure AD Graph .

To solve the issue, you could call the Microsoft Graph - Create application manually in powershell as mentioned by Allen, you could also this new command New-AzureADMSApplication , it calls the Microsoft Graph directly.

Make sure your AzureAD powershell module is not too old, then use the command below.

New-AzureADMSApplication -DisplayName "joytest678" -SignInAudience "AzureADandPersonalMicrosoftAccount"

在此处输入图像描述

Check in the portal:

在此处输入图像描述

solution2
 1  2021-04-05 02:29:53

The AAD app type property should be -SignInAudience . But it's read-only in AAD PowerShell.

So the workaround is to call Microsoft Graph to modify this property.

A sample for your reference (Modify {client_id} , {client_secret} and {tenant_id} to yours, and give Application.ReadWrite.All application permission to your app registration as per Update application permissions ):

Connect-AzureAD

$App = New-AzureADApplication -DisplayName "PSMultiApp02"

$boundary = [System.Guid]::NewGuid().ToString(); 
$LF = "`r`n";

$bodyLines = ( 
    "--$boundary",
    "Content-Disposition: form-data; name=`"grant_type`"$LF",
    "client_credentials$LF",
    "--$boundary",
    "Content-Disposition: form-data; name=`"client_id`"$LF",
    "{client_id}$LF",
    "--$boundary",
    "Content-Disposition: form-data; name=`"scope`"$LF",
    "https://graph.microsoft.com/.default$LF",
    "--$boundary",
    "Content-Disposition: form-data; name=`"client_secret`"$LF",
    "{client_secret}$LF",
    "--$boundary--$LF" 
) -join $LF

$AuthTokenRequestHeaders = @{
    "Cache-Control" = "no-cache"
}

$AuthTokenResponse = Invoke-RestMethod 'https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token' -Method 'POST' -ContentType "multipart/form-data; boundary=`"$boundary`"" -Body $bodyLines -Headers $AuthTokenRequestHeaders

$authToken = $AuthTokenResponse.access_token

$headers = @{ }
$headers.Add("Content-Type", "application/json")
$headers.Add("Authorization", "Bearer $($authToken)")

$postData = "{
    `"signInAudience`":`"AzureADandPersonalMicrosoftAccount`",
    `"api`":{`"requestedAccessTokenVersion`": 2}
}";

$requestURI = "https://graph.microsoft.com/v1.0/applications/$($App.ObjectId)"

$Result = Invoke-RestMethod -Uri $requestURI -Method PATCH -Headers $headers -Body $postData

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Access personal accounts Onedrive with Azure AD Multi tenant Unable to use tenant-specific endpoint when authenticating personal MS accounts using Azure AD Azure AD - App Registration - Tenant Consent Multi Tenant Azure AD App with Azure Function Azure App Registration for personal MS accounts without adding external users Multi tenant microservice architecture using azure AD Purpose of creating an Azure AD B2C App registration inside a regular Azure AD Tenant? Custom Branding for Login on a Azure AD Multi-Tenant App Azure login to multi-tenant AD app failing How to export delegated permissions assigned to azure app registration using azure-AD module via PowerShell
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM