nathanmcnulty · August 7, 2024 07:34
diff --git a/gistfile1.txt b/gistfile1.txt
 # list of permissions
 [array]$permissions = "Directory.Read.All","Policy.Read.All","Reports.Read.All","DirectoryRecommendations.Read.All","PrivilegedAccess.Read.AzureAD","IdentityRiskEvent.Read.All","RoleEligibilitySchedule.Read.Directory","RoleManagement.Read.All","Policy.Read.ConditionalAccess","UserAuthenticationMethod.Read.All"

 # create application
 $app = New-MgApplication -DisplayName "Maester DevOps"

 # create service principal
 $graphSpId = (Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'").Id
 $sp = New-MgServicePrincipal -AppId $app.appId

 # grant permissions
 $permissions | ForEach-Object { 
    $permission = $_
    $appRoleId = ((Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'" -Property AppRoles).appRoles | Where-Object { $_.Value -eq "$permission" }).Id
    New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id -PrincipalId $sp.Id -AppRoleId $appRoleId -ResourceId $graphSpId
 }
	# list of permissions
	[array]$permissions = "Directory.Read.All","Policy.Read.All","Reports.Read.All","DirectoryRecommendations.Read.All","PrivilegedAccess.Read.AzureAD","IdentityRiskEvent.Read.All","RoleEligibilitySchedule.Read.Directory","RoleManagement.Read.All","Policy.Read.ConditionalAccess","UserAuthenticationMethod.Read.All"

	# create application
	$app = New-MgApplication -DisplayName "Maester DevOps"

	# create service principal
	$graphSpId = (Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'").Id
	$sp = New-MgServicePrincipal -AppId $app.appId

	# grant permissions
	$permissions \| ForEach-Object {
	$permission = $_
	$appRoleId = ((Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'" -Property AppRoles).appRoles \| Where-Object { $_.Value -eq "$permission" }).Id
	New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id -PrincipalId $sp.Id -AppRoleId $appRoleId -ResourceId $graphSpId
	}