Splaxi · March 26, 2026 07:16
diff --git a/Readme.md b/Readme.md
diff --git a/New-AzureAppRedirectURLs.ps1 b/New-AzureAppRedirectURLs.ps1
 # Add additional redirect URLs to an Azure Application.
 # Based on https://blog.icewolf.ch/archive/2022/12/02/create-azure-ad-app-registration-with-microsoft-graph-powershell
 # original gist: https://gist.github.com/FH-Inway/d55993312d1bb1aa2d63adfeed9946f3

 [CmdletBinding()]
 param (
    [Parameter(Mandatory = $true, HelpMessage = "The object ID of the Azure Application.")]
    [String]
    $AppObjectId,

    [Parameter(Mandatory = $true, HelpMessage = "The redirect URLs to add to the Azure Application.")]
    [String[]]
    $RedirectURLs
 )

 # Install the PowerShell module "Microsoft.Graph" if it is not already installed.
 # Install-Module -Name Microsoft.Graph.Authentication -Scope CurrentUser -Force
 # Install-Module -Name Microsoft.Graph.Applications -Scope CurrentUser -Force

 # You need to have the Azure Active Directory Role “Application Administrator” or “Application Developer”.
 Connect-MgGraph -Scopes "Application.Read.All","Application.ReadWrite.All","User.Read.All"

 $Application = Get-MgApplication -ApplicationId $AppObjectId

 $RedirectURLs = $Application.Web.RedirectUris + $RedirectURLs

 Update-MgApplication -ApplicationId $AppObjectId -Web @{ RedirectUris = $RedirectURLs } -Verbose
diff --git a/New-AzureAppRegistration.ps1 b/New-AzureAppRegistration.ps1
 <#
 To execute the steps of the entra integration setup, the id of an Azure application is required.
 This script creates an Azure application registration with the required API permissions.
 The application must have the following API permissions:

        - Dynamics ERP - This permission is required to access finance and operations environments.
        - Microsoft Graph (User.Read.All and Group.Read.All permissions of the Application type).
        - Dynamics Lifecylce service (permission of type Delegated)
 #>

 # Based on https://blog.icewolf.ch/archive/2022/12/02/create-azure-ad-app-registration-with-microsoft-graph-powershell
 # original gist: https://gist.github.com/FH-Inway/d55993312d1bb1aa2d63adfeed9946f3

 [CmdletBinding()]
 param (
    [Parameter(Mandatory = $true, HelpMessage = "The name of the Azure Application.")]
    [String]
    $ApplicationName = "D365FO-CHE-Entra-Integration",

    [Parameter(Mandatory = $true, HelpMessage = "The redirect URLs to add to the Azure Application.")]
    [String[]]
    $RedirectURLs
 )

 # Install the PowerShell module "Microsoft.Graph" if it is not already installed.
 # Install-Module -Name Microsoft.Graph.Authentication -Scope CurrentUser -Force
 # Install-Module -Name Microsoft.Graph.Applications -Scope CurrentUser -Force

 # You need to have the Azure Active Directory Role “Application Administrator” or “Application Developer”.
 Connect-MgGraph -Scopes "Application.Read.All","Application.ReadWrite.All","User.Read.All"

 $Description = "https://learn.microsoft.com/en-us/dynamics365/fin-ops-core/dev-itpro/dev-tools/secure-developer-vm#external-integrations"

 # API permissions

 $DelegatedType = "Scope"
 $ApplicationType = "Role"

 ## Dynamics ERP
 $AXFullAccess = @{
  Id = "6397893c-2260-496b-a41d-2f1f15b16ff3"
  Type = $DelegatedType
 }
 $ConnectorFullAccess = @{
  Id = "add75854-3691-457b-84bc-76bc249f1b6f"
  Type = $ApplicationType
 }
 $CustomServiceFullAccess = @{
  Id = "ad8b4a5c-eecd-431a-a46f-33c060012ae1"
  Type = $DelegatedType
 }
 $OdataFullAccess = @{
  Id = "a849e696-ce45-464a-81de-e5c5b45519c1"
  Type = $DelegatedType
 }
 $DynamicsERP = @{
  ResourceAppId = "00000015-0000-0000-c000-000000000000"
  ResourceAccess = @($AXFullAccess, $ConnectorFullAccess, $CustomServiceFullAccess, $OdataFullAccess)
 }

 ## Microsoft Graph
 $UserReadAll = @{
  Id = "5b567255-7703-4780-807c-7be8301ae99b"
  Type = $ApplicationType
 }
 $GroupReadAll = @{
  Id = "df021288-bdef-4463-88db-98f22de89214"
  Type = $ApplicationType
 }
 $MicrosoftGraph = @{
  ResourceAppId = "00000003-0000-0000-c000-000000000000"
  ResourceAccess = @($UserReadAll, $GroupReadAll)
 }

 ## Dynamics Lifecycle Services
 $UserImpersonation = @{
  Id = "a8737248-d2c2-4a7c-9759-3dfaad5c2f19"
  Type = $DelegatedType
 }
 $DynamicsLifecycle = @{
  ResourceAppId = "913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0"
  ResourceAccess = @($UserImpersonation)
 }

 $RequiredResourceAccessList = @($DynamicsERP, $MicrosoftGraph, $DynamicsLifecycle)

 $params = @{
  DisplayName = $ApplicationName
  Description = $Description
  RequiredResourceAccess = $RequiredResourceAccessList
  Web = @{
    RedirectUris = $RedirectURLs
  }
 }
 $app = New-MgApplication @params -Verbose

 Start-Sleep -Seconds 5
 $AdminConsentURL = "https://login.microsoftonline.com/$($app.PublisherDomain)/adminconsent?client_id=$($app.AppId)"
 Start-Process $AdminConsentURL

 Write-Output "Azure application $DisplayName was created."
 Write-Output "If no browser window was opened, open the following URL to grant admin consent:"
 Write-Output $AdminConsentURL
 Write-Output "Use the following AppId to configure the integration:"
 Write-Output $app.AppId
 Write-Output "Use the application object id to upload the certificate."
 Write-Output $app.Id
diff --git a/New-FullEntraIntegration.ps1 b/New-FullEntraIntegration.ps1
 # Creates an Entra integration with all steps scripted.
 # 1. Creates an Azure AD application registration.
 # 2. Runs the New-D365EntraIntegration cmdlet which creates the certificate
 # 3. Uploads the certificate to the Azure AD application registration
 # 4. (Optionally or later) Add additional redirect URLs to the Azure AD application registration
 # original gist: https://gist.github.com/FH-Inway/d55993312d1bb1aa2d63adfeed9946f3

 $RedirectURLs = @(
  "https://login.microsoftonline.com/common/oauth2/nativeclient",
  # Add the following to URLs for each environment where Entra integration is to be added.
  "https://my-che-env0123456devaos.axcloud.dynamics.com",
  "https://my-che-env0123456devaos.axcloud.dynamics.com/oauth"
 )
 .\New-AzureAppRegistration.ps1 -ApplicationName "D365FO-CHE-Entra-Integration" -RedirectURLs $RedirectURLs

 $ApplicationId = Read-Host -Prompt "Enter the Application ID of the Azure Application"
 $securePassword = Read-Host -AsSecureString -Prompt "Enter a password for the entra integration certificate"
 New-D365EntraIntegration -ClientId $ApplicationId -CertificatePassword $securePassword

 $CertificatePath = "$env:USERPROFILE\Desktop\CHEAuth.cer"
 $AppObjectId = Read-Host -Prompt "Enter the object ID of the Azure Application"
 .\Upload-Certificate.ps1 -AppObjectId $AppObjectId -CertificatePath $CertificatePath

 $AdditionalRedirectURLs = @(
  "https://my-2nd-che-env0223456devaos.axcloud.dynamics.com",
  "https://my-2nd-che-env0223456devaos.axcloud.dynamics.com/oauth"
 )
 .\New-AzureAppRedirectURLs.ps1 -AppObjectId $AppObjectId -RedirectURLs $AdditionalRedirectURLs
diff --git a/Upload-Certificate.ps1 b/Upload-Certificate.ps1
 # Uploades the certificate to the Azure Application
 # Based on https://blog.icewolf.ch/archive/2022/12/02/create-azure-ad-app-registration-with-microsoft-graph-powershell
 # original gist: https://gist.github.com/FH-Inway/d55993312d1bb1aa2d63adfeed9946f3

 [CmdletBinding()]
 param (
    [Parameter(Mandatory = $true, HelpMessage = "The object ID of the Azure Application.")]
    [String]
    $AppObjectId,

    [Parameter(Mandatory = $true, HelpMessage = "The path to the certificate file.")]
    [String]
    $CertificatePath
 )

 # Install the PowerShell module "Microsoft.Graph" if it is not already installed.
 # Install-Module -Name Microsoft.Graph.Authentication -Scope CurrentUser -Force
 # Install-Module -Name Microsoft.Graph.Applications -Scope CurrentUser -Force

 # You need to have the Azure Active Directory Role “Application Administrator” or “Application Developer”.
 Connect-MgGraph -Scopes "Application.Read.All","Application.ReadWrite.All","User.Read.All"

 $Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertificatePath)
 $KeyCredentials = @{
  Type = "AsymmetricX509Cert"
  Usage = "Verify"
  Key = $Certificate.RawData
 }
 Update-MgApplication -ApplicationId $AppObjectId -KeyCredentials $KeyCredentials -Verbose
	# Add additional redirect URLs to an Azure Application.
	# Based on https://blog.icewolf.ch/archive/2022/12/02/create-azure-ad-app-registration-with-microsoft-graph-powershell
	# original gist: https://gist.github.com/FH-Inway/d55993312d1bb1aa2d63adfeed9946f3

	[CmdletBinding()]
	param (
	[Parameter(Mandatory = $true, HelpMessage = "The object ID of the Azure Application.")]
	[String]
	$AppObjectId,

	[Parameter(Mandatory = $true, HelpMessage = "The redirect URLs to add to the Azure Application.")]
	[String[]]
	$RedirectURLs
	)

	# Install the PowerShell module "Microsoft.Graph" if it is not already installed.
	# Install-Module -Name Microsoft.Graph.Authentication -Scope CurrentUser -Force
	# Install-Module -Name Microsoft.Graph.Applications -Scope CurrentUser -Force

	# You need to have the Azure Active Directory Role “Application Administrator” or “Application Developer”.
	Connect-MgGraph -Scopes "Application.Read.All","Application.ReadWrite.All","User.Read.All"

	$Application = Get-MgApplication -ApplicationId $AppObjectId

	$RedirectURLs = $Application.Web.RedirectUris + $RedirectURLs

	Update-MgApplication -ApplicationId $AppObjectId -Web @{ RedirectUris = $RedirectURLs } -Verbose
	<#
	To execute the steps of the entra integration setup, the id of an Azure application is required.
	This script creates an Azure application registration with the required API permissions.
	The application must have the following API permissions:

	- Dynamics ERP - This permission is required to access finance and operations environments.
	- Microsoft Graph (User.Read.All and Group.Read.All permissions of the Application type).
	- Dynamics Lifecylce service (permission of type Delegated)
	#>

	# Based on https://blog.icewolf.ch/archive/2022/12/02/create-azure-ad-app-registration-with-microsoft-graph-powershell
	# original gist: https://gist.github.com/FH-Inway/d55993312d1bb1aa2d63adfeed9946f3

	[CmdletBinding()]
	param (
	[Parameter(Mandatory = $true, HelpMessage = "The name of the Azure Application.")]
	[String]
	$ApplicationName = "D365FO-CHE-Entra-Integration",

	[Parameter(Mandatory = $true, HelpMessage = "The redirect URLs to add to the Azure Application.")]
	[String[]]
	$RedirectURLs
	)

	# Install the PowerShell module "Microsoft.Graph" if it is not already installed.
	# Install-Module -Name Microsoft.Graph.Authentication -Scope CurrentUser -Force
	# Install-Module -Name Microsoft.Graph.Applications -Scope CurrentUser -Force

	# You need to have the Azure Active Directory Role “Application Administrator” or “Application Developer”.
	Connect-MgGraph -Scopes "Application.Read.All","Application.ReadWrite.All","User.Read.All"

	$Description = "https://learn.microsoft.com/en-us/dynamics365/fin-ops-core/dev-itpro/dev-tools/secure-developer-vm#external-integrations"

	# API permissions

	$DelegatedType = "Scope"
	$ApplicationType = "Role"

	## Dynamics ERP
	$AXFullAccess = @{
	Id = "6397893c-2260-496b-a41d-2f1f15b16ff3"
	Type = $DelegatedType
	}
	$ConnectorFullAccess = @{
	Id = "add75854-3691-457b-84bc-76bc249f1b6f"
	Type = $ApplicationType
	}
	$CustomServiceFullAccess = @{
	Id = "ad8b4a5c-eecd-431a-a46f-33c060012ae1"
	Type = $DelegatedType
	}
	$OdataFullAccess = @{
	Id = "a849e696-ce45-464a-81de-e5c5b45519c1"
	Type = $DelegatedType
	}
	$DynamicsERP = @{
	ResourceAppId = "00000015-0000-0000-c000-000000000000"
	ResourceAccess = @($AXFullAccess, $ConnectorFullAccess, $CustomServiceFullAccess, $OdataFullAccess)
	}

	## Microsoft Graph
	$UserReadAll = @{
	Id = "5b567255-7703-4780-807c-7be8301ae99b"
	Type = $ApplicationType
	}
	$GroupReadAll = @{
	Id = "df021288-bdef-4463-88db-98f22de89214"
	Type = $ApplicationType
	}
	$MicrosoftGraph = @{
	ResourceAppId = "00000003-0000-0000-c000-000000000000"
	ResourceAccess = @($UserReadAll, $GroupReadAll)
	}

	## Dynamics Lifecycle Services
	$UserImpersonation = @{
	Id = "a8737248-d2c2-4a7c-9759-3dfaad5c2f19"
	Type = $DelegatedType
	}
	$DynamicsLifecycle = @{
	ResourceAppId = "913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0"
	ResourceAccess = @($UserImpersonation)
	}

	$RequiredResourceAccessList = @($DynamicsERP, $MicrosoftGraph, $DynamicsLifecycle)

	$params = @{
	DisplayName = $ApplicationName
	Description = $Description
	RequiredResourceAccess = $RequiredResourceAccessList
	Web = @{
	RedirectUris = $RedirectURLs
	}
	}
	$app = New-MgApplication @params -Verbose

	Start-Sleep -Seconds 5
	$AdminConsentURL = "https://login.microsoftonline.com/$($app.PublisherDomain)/adminconsent?client_id=$($app.AppId)"
	Start-Process $AdminConsentURL

	Write-Output "Azure application $DisplayName was created."
	Write-Output "If no browser window was opened, open the following URL to grant admin consent:"
	Write-Output $AdminConsentURL
	Write-Output "Use the following AppId to configure the integration:"
	Write-Output $app.AppId
	Write-Output "Use the application object id to upload the certificate."
	Write-Output $app.Id
	# Creates an Entra integration with all steps scripted.
	# 1. Creates an Azure AD application registration.
	# 2. Runs the New-D365EntraIntegration cmdlet which creates the certificate
	# 3. Uploads the certificate to the Azure AD application registration
	# 4. (Optionally or later) Add additional redirect URLs to the Azure AD application registration
	# original gist: https://gist.github.com/FH-Inway/d55993312d1bb1aa2d63adfeed9946f3

	$RedirectURLs = @(
	"https://login.microsoftonline.com/common/oauth2/nativeclient",
	# Add the following to URLs for each environment where Entra integration is to be added.
	"https://my-che-env0123456devaos.axcloud.dynamics.com",
	"https://my-che-env0123456devaos.axcloud.dynamics.com/oauth"
	)
	.\New-AzureAppRegistration.ps1 -ApplicationName "D365FO-CHE-Entra-Integration" -RedirectURLs $RedirectURLs

	$ApplicationId = Read-Host -Prompt "Enter the Application ID of the Azure Application"
	$securePassword = Read-Host -AsSecureString -Prompt "Enter a password for the entra integration certificate"
	New-D365EntraIntegration -ClientId $ApplicationId -CertificatePassword $securePassword

	$CertificatePath = "$env:USERPROFILE\Desktop\CHEAuth.cer"
	$AppObjectId = Read-Host -Prompt "Enter the object ID of the Azure Application"
	.\Upload-Certificate.ps1 -AppObjectId $AppObjectId -CertificatePath $CertificatePath

	$AdditionalRedirectURLs = @(
	"https://my-2nd-che-env0223456devaos.axcloud.dynamics.com",
	"https://my-2nd-che-env0223456devaos.axcloud.dynamics.com/oauth"
	)
	.\New-AzureAppRedirectURLs.ps1 -AppObjectId $AppObjectId -RedirectURLs $AdditionalRedirectURLs
	# Uploades the certificate to the Azure Application
	# Based on https://blog.icewolf.ch/archive/2022/12/02/create-azure-ad-app-registration-with-microsoft-graph-powershell
	# original gist: https://gist.github.com/FH-Inway/d55993312d1bb1aa2d63adfeed9946f3

	[CmdletBinding()]
	param (
	[Parameter(Mandatory = $true, HelpMessage = "The object ID of the Azure Application.")]
	[String]
	$AppObjectId,

	[Parameter(Mandatory = $true, HelpMessage = "The path to the certificate file.")]
	[String]
	$CertificatePath
	)

	# Install the PowerShell module "Microsoft.Graph" if it is not already installed.
	# Install-Module -Name Microsoft.Graph.Authentication -Scope CurrentUser -Force
	# Install-Module -Name Microsoft.Graph.Applications -Scope CurrentUser -Force

	# You need to have the Azure Active Directory Role “Application Administrator” or “Application Developer”.
	Connect-MgGraph -Scopes "Application.Read.All","Application.ReadWrite.All","User.Read.All"

	$Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertificatePath)
	$KeyCredentials = @{
	Type = "AsymmetricX509Cert"
	Usage = "Verify"
	Key = $Certificate.RawData
	}
	Update-MgApplication -ApplicationId $AppObjectId -KeyCredentials $KeyCredentials -Verbose