azurepowershellazure-active-directory
How do I add the "offline_access" permission to a new app registration in Azure AD?
See my code for adding permissions to a new app registration:
# Define variables
$AppName = "Test Application 5"
$CertSubject = "CN=$AppName"
$StartDate = Get-Date
$EndDate = $StartDate.AddMonths(3) # Adjust certificate validity period as needed
# Create a new Azure AD application
$App = New-AzureADApplication -DisplayName $AppName -IdentifierUris "test9" -HomePage "https://yourapphomepage"
# Generate a new self-signed certificate
$Cert = New-SelfSignedCertificate -Subject $CertSubject -CertStoreLocation "Cert:\CurrentUser\My" -NotBefore $StartDate -NotAfter $EndDate
# Convert the certificate to a base64-encoded string
$CertBytes = [System.Convert]::ToBase64String($Cert.RawData)
$CertValue = [System.Text.Encoding]::UTF8.GetString([System.Text.Encoding]::ASCII.GetBytes($CertBytes))
# Create a new certificate credential for the application
New-AzureADApplicationKeyCredential -ObjectId $App.ObjectId -CustomKeyIdentifier "CertKey" -Type AsymmetricX509Cert -Usage Verify -Value $CertValue -StartDate $StartDate -EndDate $EndDate
# Create a new password credential for the application (secret)
$PasswordCredential = New-AzureADApplicationPasswordCredential -ObjectId $App.ObjectId -CustomKeyIdentifier "PasswordKey" -StartDate $StartDate -EndDate $EndDate
#-------------------------------------------------------------
# Add Permissions
$spForApp = New-AzureADServicePrincipal -AppId $App.AppId -PasswordCredentials @($PasswordCredential)
$appPermissionsRequired = @('offline_access','User.Read.All','Group.Read.All','GroupMember.ReadWrite.All','Directory.Read.All','AuditLog.Read.All')
$targetServicePrincipalName = 'Microsoft Graph'
$targetSp = Get-AzureADServicePrincipal -Filter "DisplayName eq '$($targetServicePrincipalName)'"
$RoleAssignments = @()
Foreach ($AppPermission in $appPermissionsRequired) {
$RoleAssignment = $targetSp.AppRoles | Where-Object { $_.Value -eq $AppPermission}
$RoleAssignments += $RoleAssignment
}
$ResourceAccessObjects = New-Object 'System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]'
foreach ($RoleAssignment in $RoleAssignments) {
$resourceAccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess"
$resourceAccess.Id = $RoleAssignment.Id
$resourceAccess.Type = 'Role'
$ResourceAccessObjects.Add($resourceAccess)
}
$requiredResourceAccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$requiredResourceAccess.ResourceAppId = $targetSp.AppId
$requiredResourceAccess.ResourceAccess = $ResourceAccessObjects
# set the required resource access
Set-AzureADApplication -ObjectId $App.ObjectId -RequiredResourceAccess $requiredResourceAccess
Start-Sleep -s 1
# grant the required resource access
foreach ($RoleAssignment in $RoleAssignments) {
Write-Output -InputObject ('Granting admin consent for App Role: {0}' -f $($RoleAssignment.Value))
New-AzureADServiceAppRoleAssignment -ObjectId $spForApp.ObjectId -Id $RoleAssignment.Id -PrincipalId $spForApp.ObjectId -ResourceId $targetSp.ObjectId
Start-Sleep -s 1
}
All the permissions were successfully added except for "offline_access".
When I look for the app roles in the command line using:
$targetSp = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
$targetSp.AppRoles
I get a large list of the App Roles in Microsoft Graph. I'm able to find all the app roles except "offline_access". It's like it doesn't exist. But I can add it manually in the azure portal.
Does anyone know how I can target "offline_access"? I tried using the permission ID with no success, but maybe someone knows how to use that. Thank you!
Solution
Note that:
Offline_accessis a delegated API permission not application API permission. Hence you have to list it using Oauth2Permissions not AppRoles.
To list the delegated API permissions, use the below command:
$targetSp = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
$targetSp.Oauth2Permissions
To get only the required delegated API permission, execute the below command:
$targetSp = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
$offlineAccessId = $targetSp.Oauth2Permissions | Where-Object { $_.Value -eq 'offline_access' }
You can add offline_access API permission by using the below code:
# Create a new Azure AD application
$myapp = New-AzureADApplication -DisplayName "RukApptest"
$myappId = $myapp.ObjectId
$MSGraph = Get-AzureADServicePrincipal -All $true | Where-Object { $_.DisplayName -eq "Microsoft Graph" }
# Retrieve the ID of the 'offline_access' permission from Microsoft Graph
$offlineAccessPermission = $MSGraph.Oauth2Permissions | Where-Object { $_.Value -eq 'offline_access' }
$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Graph.ResourceAppId = $MSGraph.AppId
$Per1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList $offlineAccessPermission.Id,"Scope"
$Graph.ResourceAccess = $Per1
Set-AzureADApplication -ObjectId $myappId -RequiredResourceAccess $Graph
- Invalid operands found for operator -eq
- Adding custom headers to Azure Functions response
- Azure Queue Trigger is hit but not executing the logic inside of it
- az cli not showing redisenterprise keys
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- Azure Devops Server Pipelines: Any way to have a Stage result as "Succeeded" even if a constituent Job reported "SucceededWithIssues"?
- YAML strings including special characters % and & were not printed correctly for Windows environment
- Azure function returns error: No job functions found. Try making your job classes and methods public
- How to view Oldest Query results in Azure Monitor Metrics for an Azure PostgreSQL Flex Server instance
- Authenticate to Azure with certificate from Linux
- What are the minimum Azure permissions required to publish a Power BI report using "App Owns the Data"?
- Refresh an Azure search index
- Best way to clean up resources in StatefulService
- Azure Function App - No continuous deployment setting for "Flex Consumption" hosting plan?
- Query Azure SQL Database using Rest-API
- How to create a feature burndown chart in Azure DevOps?
- Why is this "call is ambiguous between the following methods or properties" when calling ValidateOnStart?
- How to write a Bicep API Connection formrecognizer with api key
- Where can I find docker container logs for Azure App Service
- will looping GetBlobsAsync() but doing nothing in the loop body read the contents of the blob
- Connect to OneDrive using Python (msal) and client secret
- How to debug ServiceBus-triggered Azure Function locally?
- Does Azure Cognitive Services support (detect and compare) Handwritten Signatures and Stamps from two images?
- Modify ARM-Template for quick deployment
- Does anyone have implemented auxiliary logs deployment in sentinel?
- Get request headers in azure functions NodeJs Http Trigger
- Filter specific items that are alone in an array of Collection String in Azure Search
- Trouble obtaining access token for managed identity with application role
- Azure Autoscaling Duration Time and Cool Down Time
- Partition Key for Cosmos DB