#!/usr/bin/env bash # Create the PCA for loggin in to Entra ID function usage() { echo "Usage: $0 [options]" echo "Options:" echo " -n, --app-name Application display name (required)" echo " -h, --help Show this help message and exit" } function main() { local APP_NAME="" while [[ $# -gt 0 ]]; do case "$1" in -h|--help) usage echo "Options:" echo " -h, --help Show this help message and exit" exit 0 ;; -n|--app-name) APP_NAME="$2" shift 2 ;; -*) echo "Unknown option: $1" echo "Use -h or --help for usage information." exit 1 ;; *) # Leave the rest of the arguments for the script to process break ;; esac done if [[ -z "$APP_NAME" ]]; then echo "Error: Application name is required." usage exit 1 fi # Find the app by name APP_ID=$(az ad app list --display-name "$APP_NAME" --query "[0].appId" -o tsv) if [[ -n "$APP_ID" ]]; then local USER_CONFIRMATION read -r -p "Application '$APP_NAME' already exists. Update it? [y/N]: " USER_CONFIRMATION if [[ ! "$USER_CONFIRMATION" =~ ^([yY][eE][sS]|[yY])$ ]]; then echo "Canceled." exit 0 fi fi # Create the app when it does not already exist. if [[ -z "$APP_ID" ]]; then APP_ID=$(az ad app create --display-name "$APP_NAME" --query "appId" -o tsv) if [[ -z "$APP_ID" ]]; then echo "Error: Failed to create application '$APP_NAME'." exit 1 fi fi local M365_GRAPH_APP_ID="00000003-0000-0000-c000-000000000000" local M365_GRAPH_SCOPE_ID="0e263e50-5827-48a4-b97c-d940288653c7" local AZURE_SERVICE_MGMT_APP_ID="797f4846-ba00-4fd7-ba43-dac1f8f63013" local AZURE_SERVICE_MGMT_SCOPE_ID="41094075-9dad-400e-a0bd-54e686782033" local AZURE_DEVOPS_APP_ID="499b84ac-1321-427f-aa17-267ca6975798" local AZURE_DEVOPS_SCOPE_ID="ee69721e-6c3a-468f-a9ec-302d16a4c599" local REQUIRED_RESOURCE_ACCESS_JSON REQUIRED_RESOURCE_ACCESS_JSON=$(cat < "$REQUIRED_RESOURCE_ACCESS_FILE" # Configure app to match "Azure Node Playground Public". az ad app update \ --id "$APP_ID" \ --sign-in-audience AzureADMyOrg \ --is-fallback-public-client true \ --required-resource-accesses @"$REQUIRED_RESOURCE_ACCESS_FILE" \ --public-client-redirect-uris "http://localhost" "msal${APP_ID}://auth" \ --enable-access-token-issuance true \ --enable-id-token-issuance true \ 1>/dev/null local UPDATE_EXIT_CODE=$? rm -f "$REQUIRED_RESOURCE_ACCESS_FILE" if [[ $UPDATE_EXIT_CODE -ne 0 ]]; then echo "Error: Failed to configure application '$APP_NAME' ($APP_ID)." exit 1 fi # Ensure service principal exists before granting tenant-wide admin consent. az ad sp create --id "$APP_ID" 1>/dev/null 2>/dev/null || true # Grant admin consent for configured delegated permissions. az ad app permission admin-consent --id "$APP_ID" 1>/dev/null if [[ $? -ne 0 ]]; then echo "Error: Failed to grant admin consent for '$APP_NAME' ($APP_ID)." exit 1 fi local TENANT_ID TENANT_ID=$(az account show --query tenantId -o tsv) if [[ -z "$TENANT_ID" ]]; then echo "Error: Failed to resolve tenantId from current Azure CLI context." exit 1 fi if [[ -z "$USER_CONFIRMATION" ]]; then echo "Created application '$APP_NAME'" else echo "Updated application '$APP_NAME'" fi echo "appId: $APP_ID" cat <