azure azure-powershell azure-ad-msal azure-identity azure-app-registration

How to add Mail.Send permission when creating application with secret?

I'm trying to automate the process of creating an Azure AD application using Azure PowerShell. Specifically, I want to create an application, add a client secret, grant the Mail.Send permission, and generate a token, all within a single PowerShell script. However, I’m encountering a few challenges.

I was able to create the application successfully and add a client secret. However, I'm unsure how to add the Mail.Send Application permission to the application. I found the permission ID but don't know the correct command to implement it.

Once the permission is added, do I need to grant admin consent explicitly, or is that handled automatically? I want to ensure everything is set up correctly before generating the token.

Here’s the code I’m working with:

Connect-AzAccount

$appName = "MyTestingApp"
$app = New-AzADApplication -DisplayName $appName -IdentifierUris "https://myapp.com"

$secret = New-AzADAppCredential -ApplicationId $app.ApplicationId -EndDate (Get-Date).AddYears(1)

$permissionId = "a0e0c2c0-6b4c-4c98-bcd8-15e7995d8f2b"  # Mail.Send permission ID

$tenantId = "xxxxxxx"
$clientId = $app.ApplicationId
$clientSecret = $secret.SecretText
$tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"

$body = @{
    client_id     = $clientId
    client_secret = $clientSecret
    scope         = "https://graph.microsoft.com/.default"
    grant_type    = "client_credentials"
}

$response = Invoke-RestMethod -Method Post -Uri $tokenUrl -ContentType "application/x-www-form-urlencoded" -Body $body
$token = $response.access_token

Solution

You can make use of below sample PowerShell script to add Mail.Send permission when creating application with secret and generate token:

Connect-AzAccount

$appName = "MyTestingApp"
$app = New-AzADApplication -DisplayName $appName

$secret = New-AzADAppCredential -ApplicationId $app.AppId -EndDate (Get-Date).AddYears(1)

Start-Sleep -Seconds 30

$graphApiId = '00000003-0000-0000-c000-000000000000'
$mailSendId = 'b633e1c5-b582-4048-a93e-9f11b44c7e96'

$graphSp = Get-AzADServicePrincipal -Filter "appId eq '$graphApiId'"

Add-AzADAppPermission -ObjectId $app.Id -ApiId $graphApiId -PermissionId $mailSendId -Type Role

$sp = New-AzADServicePrincipal -ApplicationId $app.AppId

New-AzADServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id -ResourceId $graphSp.Id -AppRoleId $mailSendId

Start-Sleep -Seconds 30

$tenantId = (Get-AzContext).Tenant.Id
$clientId = $app.AppId
$clientSecret = $secret.SecretText

$tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"

$body = @{
    client_id     = $clientId
    client_secret = $clientSecret
    scope         = "https://graph.microsoft.com/.default"
    grant_type    = "client_credentials"
}

$response = Invoke-RestMethod -Method Post -Uri $tokenUrl -ContentType "application/x-www-form-urlencoded" -Body $body
$token = $response.access_token

$token

Response:

To confirm that, I checked the same in Portal where new application with secret and permission added successfully with admin consent as below:

When I decoded the generated token in jwt.ms website, it has Mail.Send permission in roles claim like this: