Skip to content

Instantly share code, notes, and snippets.

@BipulRaman

BipulRaman/AzureAD_App_Notes.md

Last active July 22, 2021 13:33
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save BipulRaman/677952b387af837c9f89e16deee72e5a to your computer and use it in GitHub Desktop.
Save BipulRaman/677952b387af837c9f89e16deee72e5a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
AzureAD_App_Notes.md

Modern Authentication with Azure AD App

Important Links

Register Multitenant App

  1. Replace the placeholder {TENANT_ID} and {APPLICATION_ID} with actual values.
  2. Hit the Url in the browser. Url : https://login.microsoftonline.com/{TENANT_ID}/adminconsent?client_id={APPLICATION_ID}
  3. Grant the admin consent.

Delete permissions using PowerShell

Connect-AzureAD
$aadAppObjectId = "ac23bbc6-188e-4a90-875d-4dfa7ca7f689"

# Get Service Principal using objectId
$sp = Get-AzureADServicePrincipal -ObjectId $aadAppObjectId

# Get all delegated permissions for the service principal
$spOAuth2PermissionsGrants = Get-AzureADOAuth2PermissionGrant -All $true| Where-Object { $_.clientId -eq $sp.ObjectId }

# Remove all delegated permissions
$spOAuth2PermissionsGrants | ForEach-Object {
    Remove-AzureADOAuth2PermissionGrant -ObjectId $_.ObjectId
}

# Get all application permissions for the service principal
$spApplicationPermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId $sp.ObjectId -All $true | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }

# Remove all application permissions
$spApplicationPermissions | ForEach-Object {
    Remove-AzureADServiceAppRoleAssignment -ObjectId $_.PrincipalId -AppRoleAssignmentId $_.objectId
}

Trim / Modify Delegated Permissions using Graph API

  1. Get all Delegated Permissions : Make a GET Request on below API endpoint in Graph Explorer https://graph.microsoft.com/beta/serviceprincipals/{OBJECT_ID}/oAuth2Permissiongrants

  2. Save the JSON for references Example -

    {
    "clientId": "29575e06-7251-4ab4a-6232d342c25a",
    "consentType": "AllPrincipals",
    "expiryTime": "2021-11-22T03:59:48.2996865Z",
    "id": "Bl5XKVFyN02rSmIy00LCWOgWqROsP9pim_Rw_g",
    "principalId": null,
    "resourceId": "a3e61042-5aa0-b0ff-698a6fd1c3f8",
    "scope": "Directory.AccessAsUser.All",
    "startTime": "0001-01-01T00:00:00Z"
},

  3. Make a note of ID of delegated permission group

  4. User graph explorer to make PATCH Request to below endpoint with mentioned request body format. https://graph.microsoft.com/beta/oAuth2Permissiongrants/{id}

    Request Body : 
{
    "scope": "Group.ReadWrite.All Directory.AccessAsUser.All"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment