Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Tip

When running the script, be sure to authenticate to Azure as a user with adequate permissions to execute it in Azure AD (owner at the tenant level).

Code Block
languagepowershell
###############
## GRAPH API ##
###############
Param(
    $tenantId = "",
    $appServiceObjectID = "", 
    $PermissionsToAdd = @("Organization.Read.All", "User.Read.All", "Group.Read.All", "GroupMember.ReadWrite.All", "Reports.Read.All")
)

# Install AzureAD module if not installed
if (-Not(Get-Module -ListAvailable -Name AzureAD)) {
    Install-Module AzureAD -Force
}

# Check if connected to the target Azure AD Tenant
try { 
    $tenantDetail = Get-AzureADTenantDetail 
} 
catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] 
{ 
    Write-Host "You're not connected."; 
    Connect-AzureAD -TenantId $tenantId;
    $tenantDetail = Get-AzureADTenantDetail 
}

if ($tenantDetail.ObjectId -ne $tenantId) {
    Write-Host "You're not connected to the tenant: " $tenantId; 
    Connect-AzureAD -TenantId $tenantId;
}


# Managed Identity for the SCIM App Service | Found in App Service -> Identity 
$ManagedIdentitiesServicePrincipal = Get-AzureADServicePrincipal -Filter "ObjectId eq `'$appServiceObjectID`'"
if ($ManagedIdentitiesServicePrincipal -eq $null) {
    throw "Managed Identity for the app service is not found. `nApp Service Object ID: $appServiceObjectID "
}

# Resource Name : Microsoft Graph | Resource URI : https://graph.microsoft.com | Application ID : 00000003-0000-0000-c000-000000000000
$GraphAppId = "00000003-0000-0000-c000-000000000000"
$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"

# Permissions
foreach ($PermissionToAdd in $PermissionsToAdd) {
    $AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionToAdd.Trim() -and $_.AllowedMemberTypes -contains "Application"}
    if ($AppRole -eq $null) {
        Write-Error "Invalid Permission `nPermission name: $PermissionToAdd"
    }
    else {
        # Assigns a Graph API service principal to an application role
        try {
            New-AzureAdServiceAppRoleAssignment -ObjectId $ManagedIdentitiesServicePrincipal.ObjectId -PrincipalId $ManagedIdentitiesServicePrincipal.ObjectId -ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id -ErrorAction Stop
        }
        catch {
            if ($_.Exception.ErrorContent.Message.Value -eq "Permission being assigned already exists on the object") {
                Write-Host "`""$AppRole.DisplayName"`"" " Permission is already assigned on the app service"
            }
            else {
                Write-Error $_
            }
        }
    }
}

...