powershell - Expose api on an app registration using a script - Stack Overflow

admin管理员组

文章数量:1122826

I have now for a couple of days tried to expose an api on an app registration through az cli, however with no success. I have so far ended with the following:

$clientid=$(az ad app create --display-name ${appregname} --query appId --output tsv)

az ad app permission add --id $clientid --api 00000003-0000-0000-c000-000000000000 --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope
    
az ad app update --id $clientid --identifier-uris "api://$clientid"
  
az ad sp create --id $clientid --output tsv

az ad app update --id $clientid --set [email protected]

This is based on many guide and links - to highlight a few I have tried to follow:

• How to create scope using Azure CLI (az ad app)
• How to create scope using Azure CLI (az ad app)

But in all cases and my tries I get errors:

• property not part of schema
• missing option in identifier-URL’s
• Ressource not defined

I cannot seem to get an understanding of why, I want to achieve app registrations as explained here:

After click up and comparing manifests with scripted app services I get two areas not looking the same:

• api
• servicePrincipalLockConfiguration

For this I tried the above mentioned links with no success how do I configure api and servicePrincipalLockConfiguration when Az ad app update —-id <id> —set and Az ad sp update —-id <id> —set fails in the above cases?

Update

It seems like the root cause is that I cannot add the 'Microsoft Azure CLI' to the tenant I have. Despite using name or the id 04b07795-8ddb-461a-bbee-02f9e1bf7b46, I cannot find it in the entra tenant:

FINALLY

with a lot of help it finally worked, being global admin to insert the application with az ad sp create --id 04b07795-8ddb-461a-bbee-02f9e1bf7b46 and Microsoft Azure CLI showed up in the tenant and now everything works!

I have now for a couple of days tried to expose an api on an app registration through az cli, however with no success. I have so far ended with the following:

$clientid=$(az ad app create --display-name ${appregname} --query appId --output tsv)

az ad app permission add --id $clientid --api 00000003-0000-0000-c000-000000000000 --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope
    
az ad app update --id $clientid --identifier-uris "api://$clientid"
  
az ad sp create --id $clientid --output tsv

az ad app update --id $clientid --set [email protected]

This is based on many guide and links - to highlight a few I have tried to follow:

• How to create scope using Azure CLI (az ad app)
• https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application-cli-rest
• How to create scope using Azure CLI (az ad app)

But in all cases and my tries I get errors:

• property not part of schema
• missing option in identifier-URL’s
• Ressource not defined

I cannot seem to get an understanding of why, I want to achieve app registrations as explained here: https://intility.github.io/fastapi-azure-auth/single-tenant/azure_setup

After click up and comparing manifests with scripted app services I get two areas not looking the same:

• api
• servicePrincipalLockConfiguration

For this I tried the above mentioned links with no success how do I configure api and servicePrincipalLockConfiguration when Az ad app update —-id <id> —set and Az ad sp update —-id <id> —set fails in the above cases?

Update

It seems like the root cause is that I cannot add the 'Microsoft Azure CLI' to the tenant I have. Despite using name or the id 04b07795-8ddb-461a-bbee-02f9e1bf7b46, I cannot find it in the entra tenant:

FINALLY

with a lot of help it finally worked, being global admin to insert the application with az ad sp create --id 04b07795-8ddb-461a-bbee-02f9e1bf7b46 and Microsoft Azure CLI showed up in the tenant and now everything works!

• powershell
• azure-cli
• microsoft-entra-id
• azure-entra-id
• azure-application-registration

Share Improve this question Follow edited 13 hours ago JTIM asked Jan 1 at 0:28 JTIMJTIM 2,77122 gold badges3636 silver badges7878 bronze badges 16

• You can try to use the MSGraph api for this. Basically, app regs aren't created in Azure but in Entra. Although MS added support for appregs in the AZ commands and in Bicep you might still encounter problems like these (where it's extremely hard to do some basic things). – bluuf Commented Jan 1 at 11:55
• @bluuf make sense, I just thought those few commands should be simple. Would you go with az rest or moving completely to bicep? – JTIM Commented Jan 1 at 13:23
• An incidental aside: Note that you don't need $(...) in PowerShell in order to capture command output in a variable; e.g. $userEnv = reg.exe query HKEY_CURRENT_USER\Environment will do. Similarly, (...) rather than $(...) is enough to pass command output as an argument or to use it in an expression; e.g. Split-Path -Leaf (whoami.exe), (whoami.exe) -split '\\' – mklement0 Commented Jan 1 at 15:39
• @Rukmini global admin did the same with same error as me - is it just vanilla entra or have you configured something special? So global admin az login does not work, I.e. token does not have enough permissions. Do you have any idea? – JTIM Commented Jan 4 at 16:42
• 1 Restart and az login running the command and it is there - OMG THANK YOU @Rukmini – JTIM Commented 13 hours ago

 |  Show 11 more comments

1 Answer 1

Sorted by: Reset to default 1 +50

Note that: The "Expose an API" permissions are located in api.oauth2PermissionScopes as an array. And az ad app update does not include the oauth2permissions. Refer this SO Thread by A2AdminGuy.

Hence to create the scope and expose an API make use of below script:

# Step 1: Create an app registration
$appregname = "RukCliApp"
$clientid = $(az ad app create --display-name $appregname --query appId --output tsv)

# Step 2: Add API Permissions (Example: Microsoft Graph API)
az ad app permission add --id $clientid --api 00000003-0000-0000-c000-000000000000 --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope 

# Step 3: Add the Identifier URI (for API exposure)
az ad app update --id $clientid --identifier-uris "api://$clientid"

# Step 4: Create the service principal for the app registration
az ad sp create --id $clientid --output tsv

# Step 5: Generate a new GUID for your API scope (OAuth2 Permission)
$scopeGUID = [guid]::NewGuid()

# Step 6: Define the permission scope (OAuth2 Permission)
$permission = @{
    adminConsentDescription = "Allow the app to access API endpoints"
    adminConsentDisplayName = "web_api"
    id = "$scopeGUID"
    isEnabled = $true
    type = "Admin"
    userConsentDescription = "null"
    userConsentDisplayName = "null"
    value = "web_api"
}

# Step 7: Retrieve the app's object ID using Azure CLI
$AppObjId = (az ad app show --id $clientid | ConvertFrom-Json).objectId

# Step 8: Get the access token for Microsoft Graph API using Azure CLI
$accesstoken = (az account get-access-token --resource "https://graph.microsoft.com/" --query "accessToken" -o tsv)

# Step 9: Prepare the headers for the PATCH request to Microsoft Graph
$header = @{
    'Content-Type' = 'application/json'
    'Authorization' = 'Bearer ' + $accesstoken
}

# Step 10: Prepare the request body with the new OAuth2 permission scope
$bodyaccess = @{
    'api' = @{
        'oauth2PermissionScopes' = @($permission)
    }
} | ConvertTo-Json -Depth 3

# Step 11: Send the PATCH request to update the app registration with the new permission
Invoke-RestMethod -Method Patch -Headers $header -Uri "https://graph.microsoft.com/v1.0/applications/$AppObjId" -Body $bodyaccess

# Step 12: Verify the update by checking the OAuth2 permissions
az ad app show --id $clientid --query "oauth2Permissions"

Application created with Application ID URI and scope:

Note: The az ad app create command in its current form adds a user_impersonation scope to expose the application as an API. Hence to remove the default value you need to remove Api permissions and disable default exposed scope first. Refer this MsDoc

default_scope=$(az ad app show --id $clientid | jq '.oauth2Permissions[0].isEnabled = false' | jq -r '.oauth2Permissions')
az ad app update --id $clientid --set oauth2Permissions="$default_scope"
az ad app update --id $clientid --set oauth2Permissions="[]"

As suggested by @bluuf, you can try using Microsoft Graph PowerShell as applications are created in Entra and it's easy to perform actions.

Connect-MgGraph -Scopes "Application.ReadWrite.All"

# 1. Create the application
$appregname = "NewCliRukApp"
$app = New-MgApplication -DisplayName $appregname
$clientid = $app.AppId

# 2. Add the Directory.Read.All API permission
$params = @{
    requiredResourceAccess = @(
        @{
            resourceAppId = "00000003-0000-0000-c000-000000000000"  # Microsoft Graph API Resource App ID
            resourceAccess = @(
                @{
                    id = "d1a8eac6-2f51-4e0a-961f-1e602db39b89"  # Directory.Read.All Scope ID
                    type = "Scope"  # Scope Permission
                }
            )
        }
    )
}

# 3. Update the application with the permissions
Update-MgApplication -ApplicationId $app.Id -BodyParameter $params

# 4. Create service principal
$servicePrincipal = New-MgServicePrincipal -AppId $clientid

# 5. Update identifierUris (example)
$identifierUrisParams = @{
    IdentifierUris = @("api://$clientid")  # Example Identifier URI for the app
}
Update-MgApplication -ApplicationId $app.Id -BodyParameter $identifierUrisParams

# 6. Set OAuth2 Permission Scopes 
$oauth2PermissionScopes = @(
    @{
        AdminConsentDescription = "Allow the application to access api to users"
        AdminConsentDisplayName = "test.read"
        Type = "Admin"
        Value = "test.read"
        Id = [guid]::NewGuid()  # Generate a new GUID for the permission scope
    }
)

$api = @{
    Oauth2PermissionScopes = $oauth2PermissionScopes
}
Update-MgApplication -ApplicationId $app.Id -Api $api

Application created with Application ID URI and with custom scope:

本文标签： powershellExpose api on an app registration using a scriptStack Overflow