Last active
June 28, 2021 23:57
-
-
Save linuxsimba/be966938393aeb94b477d4acfe4bf661 to your computer and use it in GitHub Desktop.
user-consent-using-powershell.md (appspace)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Purpose: | |
| # Manually create the appspace service principal and grant appropriate oauth2 permissions without giving the appspace | |
| # functional app any Admin privileges like application administrator. All the commands below are run by a global admin or at least | |
| # someone with the proper azure and Graph API permissions. | |
| # Perfect for environments where granting anyone admin privileges even temporarily is not tolerated. | |
| # Modules required | |
| # install-module azure-ad | |
| # install-module microsoft.graph.authentication | |
| # Connect to azure-ad | |
| Connect-AzureAD | |
| # connect to MSGraph | |
| # Scope Application.ReadWrite.All gives admin privileges to write to the (Enterprise) application resource | |
| # directory.readwrite.all gives it access to create oauth2 permissions for the app. | |
| Connect-MgGraph -scopes Application.ReadWrite.All,Directory.ReadWrite.All | |
| # Get ObjectId of appspace function account | |
| # Make sure the functional account has a O365 Teams License !!!! | |
| # in this case I am looking for the name of the appspace account. But it could be an email address or unique name of the system account | |
| # Assign this to the $principal var | |
| $principal = get-azureaduser -searchstring 'appspace2' | |
| # Get the MS Graph Enterprise application object Id | |
| $resource = Get-AzureADServicePrincipal -searchstring "Microsoft Graph"| where-object {$_.appId -eq "00000003-0000-0000-c000-000000000000"} | |
| # Create the Service Principal for AppSpace. App id is known. its a multi-tenant enterprise application | |
| # its not published in the enterprise app gallery though. | |
| $appspaceSP = New-AzureAdServicePrincipal -appid a9a866c4-e5cf-47f2-932c-db14cb89008f | |
| # Confirm that the Oauth2 Scopes are not configured | |
| # [ should return blank ] | |
| $appspaceSP.Oauth2PermissionScopes | |
| # Create oauth2 permission grant. Allow the appspace app required scope | |
| # consent-type is Principal, not principal. case sensitive..MS why!! it should be case insensitive. | |
| $grantHash = @{ clientId = $appspaceSP.id; principalId = $principal.ObjectId; resourceId = $resource.objectId; scope = "offline_access openid profile User.ReadBasic.All Team.ReadBasic.All"; consentType = "Principal" } | |
| # there is no powershell command i found to do this. so I use the generic invoke-mggraphrequest to do it. | |
| # it assigns user consent scope privileges to the appspace function account. | |
| invoke-mggraphrequest -method post -uri https://graph.microsoft.com/v1.0/oauth2PermissionGrants -body ($grantHash | convertto-json) | |
| ## confirm the correct scope is assigned to the appspace enterprise app | |
| Get-AzureADServicePrincipalOAuth2PermissionGrant -objectId $appspaceSP.id | fl | |
| #ClientId : 1754ee53-74ca-45ee-b2f4-c8f698a02daf | |
| #ConsentType : Principal | |
| #ExpiryTime : 12/31/9999 11:59:59 PM | |
| #ObjectId : U-5UF8p07kWy9Mj2mKAtr1_-yOew6aVEmYeTJYp2lw9K-qBF_-nVQ5nUQmNea75- | |
| #PrincipalId : 45a0fa4a-e9ff-43d5-99d4-42635e6bbe7e | |
| #ResourceId : e7c8fe5f-e9b0-44a5-9987-93258a76970f | |
| #Scope : offline_access openid profile User.ReadBasic.All Team.ReadBasic.All | |
| #StartTime : 1/1/0001 12:00:00 AM |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment