In this Blog Post, I am trying to explain how to use PowerShell and MS GRPAH API to create and delete Azure App Registrations. as you maybe know, I like automation, and I often do this with Azure. For this, you need an Azure App Registration to Authenticate, so why not automate the Azure App Registration creation and Life Cycle Process?
So that is the Reason for this Blog Post Series with 4 Parts
- Part 1: Create and delete Azure App Regs – LINK
- Part 2: Control Secrets in Azure App Reg – LINK
- Part 3: Add and Remove Permission in Azure App Reg – LINK
- Part 4: Self-Service Azure App Registration with au2mator – TBP
So, we need an Azure App Registration with the appropriate Permissions for everything we would like to do here. I will not explain how to create an App Reg and set Permissions. You can check my Blog Series about that here: Use Microsoft Graph API with PowerShell – Part 1 – TechGuy
Prerequisites
So, let’s create an Azure App Reg with the following Details. You can change the Name in your Environment. In this Series, I will refer to the following Details.
- Name: PROD: APP Reg Managament
- Secret: created
- Permissions
- MS GRAPH API – Application
- Application.ReadWrite.OwnedBy
- Application.ReadWrite.All
- MS GRAPH API – Application
With the created App Registration in Azure, we can go through the Script
The Script – Create an Azure App Registration
We will walk through the Script and explain a little. Finally, there is a link to my GitHub Repo with the Full Script.
Details and Parameters. At the beginning of the Script, we set the Azure App Reg Details and the Authentication Details.
# Reference: https://docs.microsoft.com/en-us/graph/api/application-post-applications?view=graph-rest-1.0&tabs=http
#Application Permission:
#- Application.ReadWrite.OwnedBy
#- Application.ReadWrite.All
#Graph API Details
$MSGRAPHAPI_clientID = 'your Client ID'
$MSGRAPHAPI_tenantId = 'your Tenant ID'
$MSGRAPHAPI_Clientsecret = 'your Secret'
$MSGRAPHAPI_BaseURL = "https://graph.microsoft.com/v1.0"
#Enter Azure App Details
$AzureAppName = "TestApp1"
$AzureAppAccountType = "AzureADMyOrg" #https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-app-manifest#signinaudience-attribute
The following Part is the Azure authentication and building the Auth Header.
#Auth MS Graph API and Get Header
$MSGRAPHAPI_tokenBody = @{
Grant_Type = "client_credentials"
Scope = "https://graph.microsoft.com/.default"
Client_Id = $MSGRAPHAPI_clientID
Client_Secret = $MSGRAPHAPI_Clientsecret
}
$MSGRAPHAPI_tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$MSGRAPHAPI_tenantId/oauth2/v2.0/token" -Method POST -Body $MSGRAPHAPI_tokenBody
$MSGRAPHAPI_headers = @{
"Authorization" = "Bearer $($MSGRAPHAPI_tokenResponse.access_token)"
"Content-type" = "application/json"
}
In the Last Part, we build our Body in JSON Format, trigger a POST Method, and get the “Client ID” as a Result.
#Create Azure App Reg
$CreateAzureAppReg_Body = @"
{
"displayName":"$AzureAppName",
"signInAudience": "$AzureAppAccountType",
"web": {
"redirectUris": [],
"homePageUrl": null,
"logoutUrl": null,
"implicitGrantSettings": {
"enableIdTokenIssuance": false,
"enableAccessTokenIssuance": false
}
}
}
"@
$CreateAzureAppReg_Params = @{
Method = "POST"
Uri = "$MSGRAPHAPI_BaseURL/applications"
header = $MSGRAPHAPI_headers
Body = $CreateAzureAppReg_Body
}
$Result = Invoke-RestMethod @CreateAzureAppReg_Params
$Result.appId #ClientIDThe Script – Delete an Azure App Registration
So, as we have created an Azure App Registration, we now want to delete that again to clean up.
So we start with the Beginning, where we configure Authentication Details and the App Name.
#Graph API Details
$MSGRAPHAPI_clientID = 'your Client ID'
$MSGRAPHAPI_tenantId = 'your Tenant ID'
$MSGRAPHAPI_Clientsecret = 'your Secret'
$MSGRAPHAPI_BaseURL = "https://graph.microsoft.com/v1.0"
#Enter Azure App Details
$AzureAppName = "TestApp1"
Next, we toe the Authentication, that’s always the same.
#Auth MS Graph API and Get Header
$MSGRAPHAPI_tokenBody = @{
Grant_Type = "client_credentials"
Scope = "https://graph.microsoft.com/.default"
Client_Id = $MSGRAPHAPI_clientID
Client_Secret = $MSGRAPHAPI_Clientsecret
}
$MSGRAPHAPI_tokenResponse = Invoke-RestMethod -Uri "https://login.microsoftonline.com/$MSGRAPHAPI_tenantId/oauth2/v2.0/token" -Method POST -Body $MSGRAPHAPI_tokenBody
$MSGRAPHAPI_headers = @{
"Authorization" = "Bearer $($MSGRAPHAPI_tokenResponse.access_token)"
"Content-type" = "application/json"
}
Now the exciting part. With the APP Name, we need to get the App ID before we can delete the APP.
#Find API ID by Name
$FindAzureAppReg_Params = @{
Method = "GET"
Uri = "$MSGRAPHAPI_BaseURL/applications?`$filter=displayName eq '$AzureAppName'"
header = $MSGRAPHAPI_headers
}
#Store App ID in the Variable
$Result = Invoke-RestMethod @FindAzureAppReg_Params
#Delete Azure App Reg
$DeleteAzureAppReg_Params = @{
Method = "DELETE"
Uri = "$MSGRAPHAPI_BaseURL/applications/$($Result.value.id)"
header = $MSGRAPHAPI_headers
}
$Result = Invoke-RestMethod @DeleteAzureAppReg_Params
Summary
So we can now create and delete an Azure App Registration with PowerShell and MSGRAPH API. Next will be to add or remove Secrets and/or remove Permissions. See the next Post on Top of the Page.
GitHub
See the Script in GitHub: https://github.com/Seidlm/Microsoft-Azure
– Delete Azure App Registration.ps1
– Create Azure App Registration.ps1
Michael Seidl aka Techugy
au2mate everything
Pingback: Add and Remove Permission in Azure App Reg - Manage Azure App Reg with PowerShell and MSGRAPH API - Part 3 - TechGuy