{"id":3701,"date":"2021-09-21T14:08:09","date_gmt":"2021-09-21T13:08:09","guid":{"rendered":"https:\/\/www.lieben.nu\/liebensraum\/?p=3701"},"modified":"2021-09-21T14:08:09","modified_gmt":"2021-09-21T13:08:09","slug":"expanding-microsoft-first-party-application-permissions-in-azuread","status":"publish","type":"post","link":"https:\/\/lieben.nu\/liebensraum\/2021\/09\/expanding-microsoft-first-party-application-permissions-in-azuread\/","title":{"rendered":"Expanding Microsoft First Party Application Permissions in AzureAD"},"content":{"rendered":"\n
\"\"<\/a><\/figure>\n\n\n\n

Connect-AzAccount and my own silent token function<\/a> use the Microsoft built in client ID of “1950a258-227b-4e31-a9cf-717495945fc2”.<\/p>\n\n\n\n

The resulting token has some openID scopes and most backend calls use RBAC, but I wanted to experiment by adding OAuth2 permissions and app roles to it so I can use the context\/cached refresh token to also call other Microsoft API’s.<\/p>\n\n\n\n

I discovered that this can be done by adding the client to your AzureAD as an SPN (Enterprise Application):<\/p>\n\n\n

\n$spn = New-AzureADServicePrincipal -AppId \"1950a258-227b-4e31-a9cf-717495945fc2\" -DisplayName \"Microsoft Azure PowerShell\"\n<\/pre><\/div>\n\n\n
Since this is Microsoft owned app, you’ll actually see that show up in AzureAD:<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Next, we can add the  AuditLog.Read.All permission to the local instance of this app ($spn), this is a Graph permission, so we first need to get the resourceId of graph in our tenant:<\/p>\n\n\n
\n$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter \"appId eq '00000003-0000-0000-c000-000000000000'\"\n<\/pre><\/div>\n\n\n
Then we prepare our post body for the Graph API to add the AuditLog.Read.All permission to Microsoft Azure PowerShell:<\/p>\n\n\n
\n        $patchBody = @{\n            \"clientId\"= $spn.ObjectId\n            \"consentType\"= \"AllPrincipals\"\n            \"principalId\"= $Null\n            \"resourceId\"= $GraphServicePrincipal.ObjectId\n            \"scope\"= \"AuditLog.Read.All\"\n            \"expiryTime\" = \"2022-05-05T09:00:00Z\"\n        }\n<\/pre><\/div>\n\n\n
Then we’ll grab a token for the Graph API:<\/p>\n\n\n
\n$token =  get-azResourceTokenSilentlyWithoutModuleDependencies -userUPN myupn@lieben.nu\n<\/pre><\/div>\n\n\n
And call Graph to add the permission to our local instance of Microsoft Azure PowerShell:<\/p>\n\n\n
\nInvoke-RestMethod -Method POST -body ($patchBody | convertto-json) -Uri \"https:\/\/graph.microsoft.com\/beta\/oauth2PermissionGrants\" -Headers @{\"Authorization\"=\"Bearer $token\"} -ContentType \"application\/json\"\n\n<\/pre><\/div>\n\n\n
Any future tokens you grab for graph.microsoft.com using 1950a258-227b-4e31-a9cf-717495945fc2 as clientId will now contain the AuditLog.Read.All scope as well;<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
You should also be able to add approles<\/a>, but since (hopefully) only Microsoft has the client credentials, they won’t do much.<\/p>\n\n\n\n
Inspired by a question PrzemyslawKlys <\/a>asked me \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"
Connect-AzAccount and my own silent token function use the Microsoft built in client ID of “1950a258-227b-4e31-a9cf-717495945fc2”. The resulting token has some openID scopes and most backend calls use RBAC, but I wanted to experiment by adding OAuth2 permissions and app roles to it so I can use the context\/cached refresh token to also call other … Continue reading Expanding Microsoft First Party Application Permissions in AzureAD<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","footnotes":""},"categories":[7,39],"tags":[],"class_list":["post-3701","post","type-post","status-publish","format-standard","hentry","category-azuread","category-powershell"],"_links":{"self":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/posts\/3701","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/comments?post=3701"}],"version-history":[{"count":0,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/posts\/3701\/revisions"}],"wp:attachment":[{"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/media?parent=3701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/categories?post=3701"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lieben.nu\/liebensraum\/wp-json\/wp\/v2\/tags?post=3701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}