I am trying to create the following using PowerShell:
Here is my current script which I have hand-written but am getting confused when it comes to setting the scope for the original Server Test app - I have tried this, but the parameters of -Id and -Type (which I would follow in Portal) don't seem to apply in the PS CLI, and also when I need to declare the api:// as the scope, this fails as the Add-AzADAppPermission element isn't working.
Import-Module Az.Accounts
Import-Module Az.Resources
Connect-AzAccount
# create the server application registration
$serverApp = New-AzADApplication -DisplayName "Connection (Server, Test)" -AvailableToOtherTenants $false
# expose an API with details
$scopeName = "API.Access"
$scopeId = (New-Guid).Guid
$apiPermission = Add-AzADAppPermission -ApplicationId $serverApp.ApplicationId -Id $scopeId -Type "Scope" -Permission $scopeName -Description "API Access scope"
$serverApp = Set-AzADApplication -ObjectId $serverApp.ObjectId -IdentifierUris "api://$($serverApp.ApplicationId)" -ApiPermissions $apiPermission
Write-Host "The Server Application registration of Connection (Server, Test) has been created successfully! Note the following details:"
Write-Host "Server-Test Client ID: $($serverApp.ApplicationId)"
Write-Host "Server-Test Tenant ID: $tenantId"
Write-Host "Server-Test Application ID URL: api://$($serverApp.ApplicationId)"
# Creating client application after a delay to mkae sure the svr app has fully deployed
Write-Host "Creating Client Application... gathering resources..."
Start-Sleep -Seconds 10
$clientApp = New-AzADApplication -DisplayName "Connection (Client, Test)" -AvailableToOtherTenants $false
$clientSecret = New-AzADAppCredential -ObjectId $clientApp.ObjectId -EndDate (Get-Date).AddMonths(24)
$secretValue = $clientSecret.SecretText
# setapplication as a client application to the server
New-AzADServicePrincipal -ApplicationId $clientApp.ApplicationId
New-AzADAppPermissionGrant -ObjectId $clientApp.ObjectId -ApiId $serverApp.ApplicationId -ExpiryTime (Get-Date).AddMonths(24) -Scope $scopeName
# add authentication platform for client app
$redirectUri = "https://oauth.powerbi.com/views/oauthredirect.html"
New-AzADAppRedirectUri -ObjectId $clientApp.ObjectId -RedirectUri $redirectUri
Set-AzADApplication -ObjectId $clientApp.ObjectId -ReplyUrls $redirectUri -OAuth2AllowImplicitFlow $true -OAuth2AllowIdTokenImplicitFlow $true
Write-Host "Success! The applications of Connection (Server, Test) and Connection (Client, Test) have been created. Please make a note of the following details:"
Write-Host "Server-Test Client ID: $($serverApp.ApplicationId)"
Write-Host "Server-Test Tenant ID: $tenantId"
Write-Host "Client-Test Client ID: $($clientApp.ApplicationId)"
Write-Host "Client-Test Client Secret: $secretValue"
"
Registering Server App:
#registering server application
$serverApp = New-AzADApplication -DisplayName "Connection (Server, Test)" -AvailableToOtherTenants $false
$AppId=$serverApp.AppId
Set-AzADApplication -ApplicationId $serverApp.AppId -IdentifierUris "api://$AppId"
$app = Get-AzAdApplication -ApplicationId "<AppId>"
Exposing an API for Server-App and Registering Client-App
#exposing an API
$permissionScop = New-Object Microsoft.Azure.Powershell.Cmdlets.Resources.MSGraph.Models.ApiV10.MicrosoftGraphPermissionScope
$permissionScop.Id = New-Guid
$permissionScop.AdminConsentDescription = "API.Access"
$permissionScop.AdminConsentDisplayName = "API.Access"
$permissionScop.IsEnabled = $true
$permissionScop.Type = "User"
$permissionScop.UserConsentDescription = "API.Access"
$permissionScop.UserConsentDisplayName = "API.Access"
$permissionScop.Value = "user_impersonation"
$api = $app.Api
#$api.Oauth2PermissionScope = $permissionScop
$api.Oauth2PermissionScope =$permissionScop
Update-AzADApplication -ApplicationId "<AppId>" -Api $api
Write-Host "The Server Application registration of Connection (Server, Test) has been created successfully! Note the following details:"
Write-Host "Server-Test Client ID: $($serverApp.AppId)"
$context = Get-AzContext
Write-Output "Tenant ID: $($context.Tenant.Id)"
Write-Host "Server-Test Tenant ID: $tenantId"
Write-Host "Server-Test Application ID URL: api://$($serverApp.AppId)"
# Creating client application after a delay to make sure the svr app has fully deployed
Write-Host "Creating Client Application... gathering resources..."
Start-Sleep -Seconds 10
#registering client-app
$displayName = "Connection (Client, Test)"
$redirectUri = "https://oauth.powerbi.com/views/oauthredirect.html"
$newApp = New-AzureADApplication -DisplayName $displayName
Set-AzureADApplication -ObjectId $newApp.ObjectId -ReplyUrls @($redirectUri)
Set-AzureADApplication -ObjectId $newApp.ObjectId -Oauth2AllowImplicitFlow $true
$clientSecret = New-AzADAppCredential -ObjectId $clientApp.ObjectId -EndDate (Get-Date).AddMonths(24)
$secretValue = $clientSecret.SecretText
New-AzADServicePrincipal -ApplicationId $newApp.AppId
Add-AzADAppPermission -ObjectId ObjectIDOfApp -ApiId Resource App ID -PermissionId Permission ID
By using powershell, we are not able to grant the admin consent, it can be done by on portal or Azure cli.
CLI Command
az ad app permission admin-consent --id 00000000-0000-0000-0000-000000000000
.
Write-Host "Success! The applications of Connection (Server, Test) and Connection (Client, Test) have been created. Please make a note of the following details:"
Write-Host "Server-Test Client ID: $($serverApp.AppId)"
Write-Host "Client-Test Client ID: $($newApp.AppId)"
Write-Host "Client-Test Client Secret: $secretValue"
Write-Output "Tenant ID: $($context.Tenant.Id)"