{"id":2824,"date":"2018-04-10T10:47:59","date_gmt":"2018-04-10T09:47:59","guid":{"rendered":"https:\/\/www.lieben.nu\/liebensraum\/?p=2824"},"modified":"2018-04-10T10:47:59","modified_gmt":"2018-04-10T09:47:59","slug":"how-to-grant-oauth2-permissions-to-an-azure-ad-application-using-powershell-unattended-silently","status":"publish","type":"post","link":"https:\/\/lieben.nu\/liebensraum\/2018\/04\/how-to-grant-oauth2-permissions-to-an-azure-ad-application-using-powershell-unattended-silently\/","title":{"rendered":"How to grant OAuth2 permissions to an Azure AD Application using PowerShell unattended \/ silently"},"content":{"rendered":"

You may know this button:\"\"<\/a>There is no native Powershell command to grant OAuth permissions to an Azure AD Application, so I wrote a function for that. Note that this is NOT a supported way to grant permissions to an application because it does not follow the proper admin consent flow that applications normally use.<\/p>\n

The great advantage of my method is that it can be used to grant permissions silently, AND to ‘hidden’ and\/or multi-tenant applications that companies like Microsoft use for backend stuff like the Intune API. (e.g. the ‘Microsoft Intune Powershell’ multi-tenant application).<\/p>\n

The function requires AzureAD and AzureRM modules installed!<\/strong><\/p>\n

\n\nFunction Grant-OAuth2PermissionsToApp{\n    Param(\n        [Parameter(Mandatory=$true)]$Username, #global administrator username\n        [Parameter(Mandatory=$true)]$Password, #global administrator password\n        [Parameter(Mandatory=$true)]$azureAppId #application ID of the azure application you wish to admin-consent to\n    )\n\n    $secpasswd = ConvertTo-SecureString $Password -AsPlainText -Force\n    $mycreds = New-Object System.Management.Automation.PSCredential ($Username, $secpasswd)\n    $res = login-azurermaccount -Credential $mycreds\n    $context = Get-AzureRmContext\n    $tenantId = $context.Tenant.Id\n    $refreshToken = @($context.TokenCache.ReadItems() | Where-Object {$_.tenantId -eq $tenantId -and $_.ExpiresOn -gt (Get-Date)})[0].RefreshToken\n    $body = &amp;amp;amp;quot;grant_type=refresh_token&amp;amp;amp;amp;amp;amp;amp;amp;refresh_token=$($refreshToken)&amp;amp;amp;amp;amp;amp;amp;amp;resource=74658136-14ec-4630-ad9b-26e160ff0fc6&amp;amp;amp;quot;\n    $apiToken = Invoke-RestMethod &amp;amp;amp;quot;https:\/\/login.windows.net\/$tenantId\/oauth2\/token&amp;amp;amp;quot; -Method POST -Body $body -ContentType 'application\/x-www-form-urlencoded'\n    $header = @{\n    'Authorization' = 'Bearer ' + $apiToken.access_token\n    'X-Requested-With'= 'XMLHttpRequest'\n    'x-ms-client-request-id'= [guid]::NewGuid()\n    'x-ms-correlation-id' = [guid]::NewGuid()}\n    $url = &amp;amp;amp;quot;https:\/\/main.iam.ad.ext.azure.com\/api\/RegisteredApplications\/$azureAppId\/Consent?onBehalfOfAll=true&amp;amp;amp;quot;\n    Invoke-RestMethod \u2013Uri $url \u2013Headers $header \u2013Method POST -ErrorAction Stop\n}\n<\/pre><\/pre>\n
GITLAB:\u00a0Grant-OAuth2PermissionsToApp.ps1<\/a><\/p>\n\n\n
Update 2021: <\/strong>improved \/ mfa compatible token function<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
You may know this button:There is no native Powershell command to grant OAuth permissions to an Azure AD Application, so I wrote a function for that. Note that this is NOT a supported way to grant permissions to an application because it does not follow the proper admin consent flow that applications normally use. The … Continue reading How to grant OAuth2 permissions to an Azure AD Application using PowerShell unattended \/ silently<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[4,5,39],"tags":[],"class_list":["post-2824","post","type-post","status-publish","format-standard","hentry","category-automation","category-azure","category-powershell"],"_links":{"self":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/posts\/2824","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/comments?post=2824"}],"version-history":[{"count":0,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/posts\/2824\/revisions"}],"wp:attachment":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/media?parent=2824"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/categories?post=2824"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/tags?post=2824"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}