I am trying to create an Azure AD application using New-MgApplication PowerShell Cmdlet. While creating the application, I am trying to set OAuth2 permission scopes. The Cmdlet runs just fine and the application is created properly. However when I check the application settings in Azure Portal, the settings are not being set.
Here's my code:
[Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Models.ApiV10.MicrosoftGraphWebApplication]$azureAdApiAppWebSettings = @{RedirectUris="http://localhost:4040"}
[Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Models.ApiV10.IMicrosoftGraphPermissionScope[]]$oauth2PermissionScopes = @(
@{
AdminConsentDescription="Access the application as admin.";
AdminConsentDisplayName="Access as admin";
Id=[guid]::NewGuid().ToString();
IsEnabled=$true;
Origin="Application";
Type="User";
UserConsentDescription="Access the application as user.";
UserConsentDisplayName="Access as user";
Value="access_as_user"
}
)
[Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Models.ApiV10.IMicrosoftGraphApiApplication]$azureAdApiAppApiSettings = @{
Oauth2PermissionScopes=$oauth2PermissionScopes;
}
$azureAdApiApp = New-MgApplication -DisplayName "MyApplicationName" -SignInAudience "AzureADMyOrg" -Web $azureAdApiAppWebSettings -Api $azureAdApiAppApiSettings
I am wondering if anyone can tell me what am I doing wrong? Or is it just that we cannot set the permission scopes at the time of application creation and can only do it once the application is created using Update-MgApplication.
Here's how I solved this. Based on the Portal's interface, it is my understanding that before we can set these permission scopes we would need to set the App URI.
Assuming we are going to set the App URI as the default one (api://<app-id>), it is not possible to set the permission scopes when an application is created.
It has to be done after the application is created because we get the application id only after application creation.
Here's the code I came up with:
[Microsoft.Graph.PowerShell.Models.MicrosoftGraphWebApplication]$azureAdApiAppWebSettings = @{RedirectUris="http://localhost:4040"}
$azureAdApiApp = New-MgApplication -DisplayName "MyApplicationName" -SignInAudience "AzureADMyOrg" -Web $azureAdApiAppWebSettings
# Update identifier URIs first
$applicationId = $azureAdApiApp.appId
$identifierUris = "api://$applicationId"
$azureAdApiApp = Update-MgApplication -ApplicationId $azureAdApiAppId -IdentifierUris $identifierUris
# Wait for some time for identifier URIs to update
Start-Sleep -Seconds 10
# Now update the permission scopes
[Microsoft.Graph.PowerShell.Models.IMicrosoftGraphPermissionScope[]]$oauth2PermissionScopes = @(
@{
AdminConsentDescription="Access the application as admin.";
AdminConsentDisplayName="Access as admin";
Id=[guid]::NewGuid().ToString();
IsEnabled=$true;
Origin="Application";
Type="User";
UserConsentDescription="Access the application as user.";
UserConsentDisplayName="Access as user";
Value="access_as_user"
}
)
[Microsoft.Graph.PowerShell.Models.IMicrosoftGraphApiApplication]$azureAdApiAppApiSettings = @{
Oauth2PermissionScopes=$oauth2PermissionScopes;
}
$azureAdApiApp = Update-MgApplication -ApplicationId $azureAdApiAppId -Api $azureAdApiAppApiSettings