I am trying to add the required API permissions to my application using this script. The Azure AD module is not working in the version of powershell i am using (powershell 7 (x86)), so instead I am using the graph.microsoft.com API. The problem is that when I run it, it comes with errors saying "Cannot find type System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]: verify that the assembly | containing this type is loaded." and same with the RequiredResourceAccess.
so the problem is here. how do it get it to find the type og use the ResourceAccess.
$ResourceAccessObjects = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
foreach ($RoleAssignment in $RoleAssignments) {
$resourceAccess = New-Object "microsoft.open.azuread.model.resourceAccess"
$resourceAccess.Id = $RoleAssignment.Id
$resourceAccess.Type = 'Role'
$ResourceAccessObjects.Add($resourceAccess)
}
$requiredResourceAccess = New-Object "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$requiredResourceAccess.ResourceAppId = $targetSp.AppId
$requiredResourceAccess.ResourceAccess = $ResourceAccessObjects
The whole script
Connect-AzAccount
$AADToken = (Get-AzAccessToken -ResourceUrl "Https://graph.microsoft.com").Token
Function GrantAllThePermissionsWeWant
{
param
(
[string] $targetServicePrincipalName,
$appPermissionsRequired,
$appId,
$spForApp
)
}
$restSplat = @{
Method = "GET"
uri = "https://graph.microsoft.com/v1.0/servicePrincipals?`$filter=displayName eq '$targetServicePrincipalName'"
headers = @{"Authorization" = "Bearer $AADToken"; "Content-Type" = "application/json" }
}
$targetSp = Invoke-RestMethod @restSplat | ConvertTo-Json
$RoleAssignments = @()
Foreach ($AppPermission in $appPermissionsRequired) {
$RoleAssignment = $targetSp.AppRoles | Where-Object { $_.Value -eq $AppPermission}
$RoleAssignments += $RoleAssignment
}
$ResourceAccessObjects = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
foreach ($RoleAssignment in $RoleAssignments) {
$resourceAccess = New-Object "microsoft.open.azuread.model.resourceAccess"
$resourceAccess.Id = $RoleAssignment.Id
$resourceAccess.Type = 'Role'
$ResourceAccessObjects.Add($resourceAccess)
}
$requiredResourceAccess = New-Object "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$requiredResourceAccess.ResourceAppId = $targetSp.AppId
$requiredResourceAccess.ResourceAccess = $ResourceAccessObjects
# set the required resource access
Set-AzureADApplication -ObjectId $appId.ObjectId -RequiredResourceAccess $requiredResourceAccess
Start-Sleep -s 1
# grant the required resource access
foreach ($RoleAssignment in $RoleAssignments) {
Write-Output -InputObject ('Granting admin consent for App Role: {0}' -f $($RoleAssignment.Value))
New-AzureADServiceAppRoleAssignment -ObjectId $spForApp.ObjectId -Id $RoleAssignment.Id -PrincipalId $spForApp.ObjectId -ResourceId $targetSp.ObjectId
Start-Sleep -s 1
}
$appId = '(appid)'
$appPermissionsRequired = @('Directory.Read.All')
$targetServicePrincipalName = '(spname)'
GrantAllThePermissionsWeWant -targetServicePrincipalName $targetServicePrincipalName -appPermissionsRequired $appPermissionsRequired -appId $appId -spForApp $targetSp
I havent got to the part where "Set-AzureADApplication" is an call to the graph.microsoft.com API instead so please ignore that part.
My solution was this:
foreach ($RoleAssignment in $RoleAssignments) {
$restSplat = @{
Method = "PATCH"
uri = "https://graph.microsoft.com/v1.0/applications/$($appId)"
headers = @{"Authorization" = "Bearer $AADToken"; "Content-Type" = "application/json" }
body = @{
requiredResourceAccess = @(
@{
resourceAppId = $targetSp.appId
resourceAccess = @(
@{
id = $RoleAssignment.Id
type = "Role"
}
)
}
)
} | ConvertTo-Json -Depth 4
}
$rest = (Invoke-RestMethod @restSplat).Value
Now I just need to grant the required resource access with Graph.microsoft.com too.