Azure Powershell converting `Set-AzureADApplication` to `Update-MgApplication`

Question

I am in the process of converting Set-AzureADApplication to Update-MgApplication in my Azure Powershell code. I am using these commands to add permissions to my application in Azure. See my code below.

function Add-Application {

    param(
        [string]$appName
    )

    $ReplyURL = Read-Host "Enter your redirect URI"
    #$App = New-AzureADApplication -DisplayName $appName -ReplyUrls $ReplyURL
    $App = New-MgApplication -DisplayName $AppName -DefaultRedirectUri $ReplyURL
    #New-AzureADServicePrincipal -AppId $App.AppId
    New-MgServicePrincipal -AppId $App.AppId

}

# -------------------------------------------------------------
# Function to Add Permissions

function Add-Permission {

    param(
        [string]$appName
    )

    $Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
    $Graph.ResourceAppId = "00000003-0000-0000-c000-000000000000" # Microsoft Graph API

    $Azure = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
    $Azure.ResourceAppId = "797f4846-ba00-4fd7-ba43-dac1f8f63013" # Azure Service Management API

    $UserReadAll = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "a154be20-db9c-4678-8ab7-66f6cc099a59","Scope"
    $GroupReadAll = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "5f8c59db-677d-491f-a6b8-5f174b11ec1d","Scope"
    $GroupMemberReadAll = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "bc024368-1153-4739-b217-4326f2e966d0","Scope"
    $GroupMemberReadWriteAll = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "f81125ac-d3b7-4573-a3b2-7099cc39df9e","Scope"
    $DirectoryReadAll = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "06da0dbc-49e2-44d2-8312-53f166ab848a","Scope"
    $AuditLogReadAll = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "e4c9e354-4dc5-45b8-9e7c-e1393b0b1a20","Scope"
    $offlineaccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "7427e0e9-2fba-42fe-b0c0-848c9e6a8182","Scope"

    $Graph.ResourceAccess = $UserReadAll, $GroupReadAll, $GroupMemberReadAll, $GroupMemberReadWriteAll, $DirectoryReadAll, $AuditLogReadAll, $offlineaccess

    $userimpersonation = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "41094075-9dad-400e-a0bd-54e686782033","Scope"

    $Azure.ResourceAccess = $userimpersonation

    #$App = Get-AzureADApplication -Filter "DisplayName eq '$($appName)'"
    $App = Get-MgApplication -Filter "DisplayName eq '$($appName)'"

    #Set-AzureADApplication -ObjectId $App.ObjectId -RequiredResourceAccess $Graph, $Azure
    Update-MgApplication -ObjectId $App.Id -RequiredResourceAccess $Graph, $Azure


}

When I run this code, I get this new error:

So I understand that it has to do with this section of the code:

$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess" $Graph.ResourceAppId = "00000003-0000-0000-c000-000000000000" # Microsoft Graph API

But how would I solve this error? I guess a more broad question is how do I add permissions to an application using the Update-MgApplication command?

Answer 1

You can make use of below modified script to add Delegated permissions using the Update-MgApplication command:

function Add-Application {

    param(
        [string]$appName
    )
   
    $ReplyURL = Read-Host "Enter your redirect URI"
    $App = New-MgApplication -DisplayName $AppName -Web @{ RedirectUris = @($ReplyURL) }

    New-MgServicePrincipal -AppId $App.AppId
}

# -------------------------------------------------------------
# Function to Add Permissions

function Add-Permission {

    param(
        [string]$appName
    )

    $delegatedPermissions = @(
        "AuditLog.Read.All",
        "Directory.Read.All",
        "User.Read.All",
        "offline_access",
        "Group.Read.All",
        "GroupMember.Read.All",
        "GroupMember.ReadWrite.All"
    )

    $filteredPermissions = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'" -Property Oauth2PermissionScopes | Select -ExpandProperty Oauth2PermissionScopes | Where-Object { $delegatedPermissions -contains $_.Value }

    $azureServicePermission = @{
        resourceAppId = "797f4846-ba00-4fd7-ba43-dac1f8f63013"
        resourceAccess = @(
            @{
                id = "41094075-9dad-400e-a0bd-54e686782033"
                type = "Scope"
            }
        )
    }

    $app = Get-MgApplication -Filter "DisplayName eq '$appName'"

    $params = @{
        requiredResourceAccess = @(
            $azureServicePermission,
            @{
                resourceAppId = "00000003-0000-0000-c000-000000000000"
                resourceAccess = $filteredPermissions | ForEach-Object {
                    @{
                        id = $_.Id
                        type = "Scope"
                    }
                }
            }
        )
    }

    Update-MgApplication -ApplicationId $app.Id -BodyParameter $params
}

To call these functions, I ran below PowerShell commands and got response like this:

Add-Application -appName "SriDemoApp"
Add-Permission -appName "SriDemoApp"

Response:

When I checked the same in Portal, new app registration created with API permissions of Delegated type added successfully as below: