slawek/sk-az-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add delegated permissions step

Browse Source
This commit is contained in:
Sławek Koszewski
2026-02-07 12:53:57 +01:00
parent f66e5985f7
commit aff7d88cfd
2 changed files with 61 additions and 96 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
scripts/New-PublicClientApplication.ps1
View File

@@ -4,7 +4,6 @@
param( param(
[Alias("n")] [Alias("n")]
[string]$AppName, [string]$AppName,
[switch]$UsePowershellModules,
[Alias("h")] [Alias("h")]
[switch]$Help [switch]$Help
) )
@@ -16,7 +15,6 @@ function Show-Usage {
Write-Host "Usage: ./New-PublicClientApplication.ps1 -AppName <name>" Write-Host "Usage: ./New-PublicClientApplication.ps1 -AppName <name>"
Write-Host "Options:" Write-Host "Options:"
Write-Host " -AppName, -n <name> Application display name (required)" Write-Host " -AppName, -n <name> Application display name (required)"
Write-Host " -UsePowershellModules Use Az.Accounts/Az.Resources cmdlets instead of Azure CLI"
Write-Host " -Help, -h Show this help message and exit" Write-Host " -Help, -h Show this help message and exit"
} }
@@ -85,66 +83,10 @@ $azureServiceMgmtScopeId = "41094075-9dad-400e-a0bd-54e686782033"
$azureDevOpsAppId = "499b84ac-1321-427f-aa17-267ca6975798" $azureDevOpsAppId = "499b84ac-1321-427f-aa17-267ca6975798"
$azureDevOpsScopeId = "ee69721e-6c3a-468f-a9ec-302d16a4c599" $azureDevOpsScopeId = "ee69721e-6c3a-468f-a9ec-302d16a4c599"
if ($UsePowershellModules) { if (-not (Get-Command az -ErrorAction SilentlyContinue)) {
if (-not (Get-Command Get-AzADApplication -ErrorAction SilentlyContinue)) { throw "Azure CLI 'az' is required."
throw "Get-AzADApplication cmdlet not found. Install Az.Resources."
}
if (-not (Get-Command New-AzADApplication -ErrorAction SilentlyContinue)) {
throw "New-AzADApplication cmdlet not found. Install Az.Resources."
}
if (-not (Get-Command Update-AzADApplication -ErrorAction SilentlyContinue)) {
throw "Update-AzADApplication cmdlet not found. Install Az.Resources."
} }
$azContext = Get-AzContext
if ($null -eq $azContext) {
throw "No Azure context found. Run Connect-AzAccount first."
}
$existingApp = Get-AzADApplication -DisplayName $AppName -First 1
if ($null -ne $existingApp) {
Write-Error "Application '$AppName' already exists."
exit 1
}
$requiredResourceAccess = Get-RequiredResourceAccess `
-M365GraphAppId $m365GraphAppId `
-M365GraphScopeId $m365GraphScopeId `
-AzureDevOpsAppId $azureDevOpsAppId `
-AzureDevOpsScopeId $azureDevOpsScopeId `
-AzureServiceMgmtAppId $azureServiceMgmtAppId `
-AzureServiceMgmtScopeId $azureServiceMgmtScopeId
$webConfig = @{
implicitGrantSettings = @{
enableAccessTokenIssuance = $true
enableIdTokenIssuance = $true
}
}
# Create first to obtain appId needed for msal<appId>://auth redirect URI.
$newApp = New-AzADApplication `
-DisplayName $AppName `
-SignInAudience "AzureADMyOrg" `
-IsFallbackPublicClient `
-PublicClientRedirectUri @("http://localhost") `
-RequiredResourceAccess $requiredResourceAccess `
-Web $webConfig
if ($null -eq $newApp -or [string]::IsNullOrWhiteSpace($newApp.AppId)) {
throw "Failed to create application '$AppName' via Az.Resources."
}
$appId = $newApp.AppId
Update-AzADApplication `
-ApplicationId $appId `
-SignInAudience "AzureADMyOrg" `
-IsFallbackPublicClient `
-RequiredResourceAccess $requiredResourceAccess `
-PublicClientRedirectUri @("http://localhost", "msal${appId}://auth") `
-Web $webConfig | Out-Null
} else {
# Find the app by name # Find the app by name
$existingAppId = az ad app list --display-name $AppName --query "[0].appId" -o tsv $existingAppId = az ad app list --display-name $AppName --query "[0].appId" -o tsv
if ($LASTEXITCODE -ne 0) { if ($LASTEXITCODE -ne 0) {
@@ -188,6 +130,19 @@ if ($UsePowershellModules) {
if ($LASTEXITCODE -ne 0) { if ($LASTEXITCODE -ne 0) {
throw "Failed to configure application '$AppName'." throw "Failed to configure application '$AppName'."
} }
# Azure CLI is used to grant admin consent.
# Ensure service principal exists before granting tenant-wide admin consent.
az ad sp create --id $appId | Out-Null
if ($LASTEXITCODE -ne 0) {
throw "Failed to ensure service principal exists for '$AppName' ($appId)."
}
# Grant admin consent for configured delegated permissions.
az ad app permission admin-consent --id $appId | Out-Null
if ($LASTEXITCODE -ne 0) {
throw "Failed to grant admin consent for '$AppName' ($appId)."
} }
Write-Host "Created application '$AppName'" Write-Host "Created application '$AppName'"

10
scripts/create-pcs.sh
View File

@@ -114,6 +114,16 @@ EOF
web.implicitGrantSettings.enableIdTokenIssuance=true \ web.implicitGrantSettings.enableIdTokenIssuance=true \
1>/dev/null 1>/dev/null
# Ensure service principal exists before granting tenant-wide admin consent.
az ad sp create --id "$APP_ID" 1>/dev/null 2>/dev/null || true
# Grant admin consent for configured delegated permissions.
az ad app permission admin-consent --id "$APP_ID" 1>/dev/null
if [[ $? -ne 0 ]]; then
echo "Error: Failed to grant admin consent for '$APP_NAME' ($APP_ID)."
exit 1
fi
echo "Created application '$APP_NAME'" echo "Created application '$APP_NAME'"
echo "appId: $APP_ID" echo "appId: $APP_ID"
} }