132 lines
3.5 KiB
Bash
Executable File
132 lines
3.5 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
# Create the PCA for loggin in to Entra ID
|
|
function usage() {
|
|
echo "Usage: $0 [options]"
|
|
echo "Options:"
|
|
echo " -n, --app-name <name> Application display name (required)"
|
|
echo " -h, --help Show this help message and exit"
|
|
}
|
|
|
|
function main() {
|
|
local APP_NAME=""
|
|
while [[ $# -gt 0 ]]; do
|
|
case "$1" in
|
|
-h|--help)
|
|
usage
|
|
echo "Options:"
|
|
echo " -h, --help Show this help message and exit"
|
|
exit 0
|
|
;;
|
|
-n|--app-name)
|
|
APP_NAME="$2"
|
|
shift 2
|
|
;;
|
|
-*)
|
|
echo "Unknown option: $1"
|
|
echo "Use -h or --help for usage information."
|
|
exit 1
|
|
;;
|
|
*) # Leave the rest of the arguments for the script to process
|
|
break
|
|
;;
|
|
esac
|
|
done
|
|
|
|
if [[ -z "$APP_NAME" ]]; then
|
|
echo "Error: Application name is required."
|
|
usage
|
|
exit 1
|
|
fi
|
|
|
|
# Find the app by name
|
|
APP_ID=$(az ad app list --display-name "$APP_NAME" --query "[0].appId" -o tsv)
|
|
if [[ -n "$APP_ID" ]]; then
|
|
echo "Error: Application '$APP_NAME' already exists."
|
|
exit 1
|
|
fi
|
|
|
|
# Create the app
|
|
APP_ID=$(az ad app create --display-name "$APP_NAME" --query "appId" -o tsv)
|
|
if [[ -z "$APP_ID" ]]; then
|
|
echo "Error: Failed to create application '$APP_NAME'."
|
|
exit 1
|
|
fi
|
|
|
|
local M365_GRAPH_APP_ID="00000003-0000-0000-c000-000000000000"
|
|
local M365_GRAPH_SCOPE_ID="0e263e50-5827-48a4-b97c-d940288653c7"
|
|
local AZURE_SERVICE_MGMT_APP_ID="797f4846-ba00-4fd7-ba43-dac1f8f63013"
|
|
local AZURE_SERVICE_MGMT_SCOPE_ID="41094075-9dad-400e-a0bd-54e686782033"
|
|
local AZURE_DEVOPS_APP_ID="499b84ac-1321-427f-aa17-267ca6975798"
|
|
local AZURE_DEVOPS_SCOPE_ID="ee69721e-6c3a-468f-a9ec-302d16a4c599"
|
|
|
|
local REQUIRED_RESOURCE_ACCESS_JSON
|
|
REQUIRED_RESOURCE_ACCESS_JSON=$(cat <<EOF
|
|
[
|
|
{
|
|
"resourceAppId": "${M365_GRAPH_APP_ID}",
|
|
"resourceAccess": [
|
|
{
|
|
"id": "${M365_GRAPH_SCOPE_ID}",
|
|
"type": "Scope"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"resourceAppId": "${AZURE_DEVOPS_APP_ID}",
|
|
"resourceAccess": [
|
|
{
|
|
"id": "${AZURE_DEVOPS_SCOPE_ID}",
|
|
"type": "Scope"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"resourceAppId": "${AZURE_SERVICE_MGMT_APP_ID}",
|
|
"resourceAccess": [
|
|
{
|
|
"id": "${AZURE_SERVICE_MGMT_SCOPE_ID}",
|
|
"type": "Scope"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
EOF
|
|
)
|
|
|
|
local PUBLIC_CLIENT_REDIRECT_URIS_JSON
|
|
PUBLIC_CLIENT_REDIRECT_URIS_JSON=$(cat <<EOF
|
|
[
|
|
"http://localhost",
|
|
"msal${APP_ID}://auth"
|
|
]
|
|
EOF
|
|
)
|
|
|
|
# Configure app to match "Azure Node Playground Public".
|
|
az ad app update \
|
|
--id "$APP_ID" \
|
|
--set signInAudience=AzureADMyOrg \
|
|
isFallbackPublicClient=true \
|
|
requiredResourceAccess="$REQUIRED_RESOURCE_ACCESS_JSON" \
|
|
publicClient.redirectUris="$PUBLIC_CLIENT_REDIRECT_URIS_JSON" \
|
|
web.implicitGrantSettings.enableAccessTokenIssuance=true \
|
|
web.implicitGrantSettings.enableIdTokenIssuance=true \
|
|
1>/dev/null
|
|
|
|
# Ensure service principal exists before granting tenant-wide admin consent.
|
|
az ad sp create --id "$APP_ID" 1>/dev/null 2>/dev/null || true
|
|
|
|
# Grant admin consent for configured delegated permissions.
|
|
az ad app permission admin-consent --id "$APP_ID" 1>/dev/null
|
|
if [[ $? -ne 0 ]]; then
|
|
echo "Error: Failed to grant admin consent for '$APP_NAME' ($APP_ID)."
|
|
exit 1
|
|
fi
|
|
|
|
echo "Created application '$APP_NAME'"
|
|
echo "appId: $APP_ID"
|
|
}
|
|
|
|
main "$@"
|