Create full D365FO CHE Entra integration

Readme.md

The PowerShell scripts in this gist in combination with the Microsoft.Graph and d365fo.tools PowerShell modules can be used as a scripted guide through the multi-step process of https://learn.microsoft.com/en-us/dynamics365/fin-ops-core/dev-itpro/dev-tools/secure-developer-vm#external-integrations

New-FullEntraIntegration.ps1 is your starting point after downloading all the scripts and installing the modules.

New-AzureAppRedirectURLs.ps1

# Add additional redirect URLs to an Azure Application.
# Based on https://blog.icewolf.ch/archive/2022/12/02/create-azure-ad-app-registration-with-microsoft-graph-powershell
# original gist: https://gist.github.com/FH-Inway/d55993312d1bb1aa2d63adfeed9946f3

[CmdletBinding()]
param (
    [Parameter(Mandatory = $true, HelpMessage = "The object ID of the Azure Application.")]
    [String]
    $AppObjectId,

    [Parameter(Mandatory = $true, HelpMessage = "The redirect URLs to add to the Azure Application.")]
    [String[]]
    $RedirectURLs
)

# Install the PowerShell module "Microsoft.Graph" if it is not already installed.
# Install-Module -Name Microsoft.Graph.Authentication -Scope CurrentUser -Force
# Install-Module -Name Microsoft.Graph.Applications -Scope CurrentUser -Force

# You need to have the Azure Active Directory Role “Application Administrator” or “Application Developer”.
Connect-MgGraph -Scopes "Application.Read.All","Application.ReadWrite.All","User.Read.All"

$Application = Get-MgApplication -ApplicationId $AppObjectId

$RedirectURLs = $Application.Web.RedirectUris + $RedirectURLs

Update-MgApplication -ApplicationId $AppObjectId -Web @{ RedirectUris = $RedirectURLs } -Verbose

New-AzureAppRegistration.ps1

<#
To execute the steps, the id of an Azure application must be provided. The application must have the following API permissions:
        
        - Dynamics ERP - This permission is required to access finance and operations environments.
        - Microsoft Graph (User.Read.All and Group.Read.All permissions of the Application type).
        - Dynamics Lifecylce service (permission of type Delegated)
#>

# Based on https://blog.icewolf.ch/archive/2022/12/02/create-azure-ad-app-registration-with-microsoft-graph-powershell
# original gist: https://gist.github.com/FH-Inway/d55993312d1bb1aa2d63adfeed9946f3

[CmdletBinding()]
param (
    [Parameter(Mandatory = $true, HelpMessage = "The name of the Azure Application.")]
    [String]
    $ApplicationName = "D365FO-CHE-Entra-Integration",

    [Parameter(Mandatory = $true, HelpMessage = "The redirect URLs to add to the Azure Application.")]
    [String]
    $RedirectURLs
)

# Install the PowerShell module "Microsoft.Graph" if it is not already installed.
# Install-Module -Name Microsoft.Graph.Authentication -Scope CurrentUser -Force
# Install-Module -Name Microsoft.Graph.Applications -Scope CurrentUser -Force

# You need to have the Azure Active Directory Role “Application Administrator” or “Application Developer”.
Connect-MgGraph -Scopes "Application.Read.All","Application.ReadWrite.All","User.Read.All"

$Description = "https://learn.microsoft.com/en-us/dynamics365/fin-ops-core/dev-itpro/dev-tools/secure-developer-vm#external-integrations"

# API permissions

$DelegatedType = "Scope"
$ApplicationType = "Role"

## Dynamics ERP
$AXFullAccess = @{ 
  Id = "6397893c-2260-496b-a41d-2f1f15b16ff3"
  Type = $DelegatedType 
}
$ConnectorFullAccess = @{
  Id = "add75854-3691-457b-84bc-76bc249f1b6f" 
  Type = $ApplicationType 
}
$CustomServiceFullAccess = @{
  Id = "ad8b4a5c-eecd-431a-a46f-33c060012ae1"
  Type = $DelegatedType 
}
$OdataFullAccess = @{
  Id = "a849e696-ce45-464a-81de-e5c5b45519c1"
  Type = $DelegatedType 
}
$DynamicsERP = @{
  ResourceAppId = "00000015-0000-0000-c000-000000000000"
  ResourceAccess = @($AXFullAccess, $ConnectorFullAccess, $CustomServiceFullAccess, $OdataFullAccess)
}

## Microsoft Graph
$UserReadAll = @{
  Id = "5b567255-7703-4780-807c-7be8301ae99b"
  Type = $ApplicationType 
}
$GroupReadAll = @{
  Id = "df021288-bdef-4463-88db-98f22de89214"
  Type = $ApplicationType 
}
$MicrosoftGraph = @{
  ResourceAppId = "00000003-0000-0000-c000-000000000000"
  ResourceAccess = @($UserReadAll, $GroupReadAll)
}

## Dynamics Lifecycle Services
$UserImpersonation = @{
  Id = "a8737248-d2c2-4a7c-9759-3dfaad5c2f19"
  Type = $DelegatedType 
}
$DynamicsLifecycle = @{
  ResourceAppId = "913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0"
  ResourceAccess = @($UserImpersonation)
}

$RequiredResourceAccessList = @($DynamicsERP, $MicrosoftGraph, $DynamicsLifecycle)

$params = @{
  DisplayName = $ApplicationName
  Description = $Description
  RequiredResourceAccess = $RequiredResourceAccessList
  Web = @{
    RedirectUris = $RedirectURLs
  }
}
$app = New-MgApplication @params -Verbose

Start-Sleep -Seconds 5
$AdminConsentURL = "https://login.microsoftonline.com/$($app.PublisherDomain)/adminconsent?client_id=$($app.AppId)"
Start-Process $AdminConsentURL

Write-Output "Azure application $DisplayName was created. Use the following AppId to configure the integration: $($app.AppId)"
Write-Output "Use the applicatio object id $($app.Id) to upload the certificate."

New-FullEntraIntegration.ps1

# Creates an Entra integration with all steps scripted.
# 1. Creates an Azure AD application registration.
# 2. Runs the New-D365EntraIntegration cmdlet which creates the certificate
# 3. Uploads the certificate to the Azure AD application registration
# 4. (Optionally or later) Add additional redirect URLs to the Azure AD application registration
# original gist: https://gist.github.com/FH-Inway/d55993312d1bb1aa2d63adfeed9946f3

$RedirectURLs = @(
  "https://login.microsoftonline.com/common/oauth2/nativeclient",
  # Add the following to URLs for each environment where Entra integration is to be added.
  "https://my-che-env0123456devaos.axcloud.dynamics.com",
  "https://my-che-env0123456devaos.axcloud.dynamics.com/oauth"
)
.\New-AzureAppRegistration.ps1 -ApplicationName "D365FO-CHE-Entra-Integration" -RedirectURLs $RedirectURLs

$ApplicationId = Read-Host -Prompt "Enter the Application ID of the Azure Application"
$securePassword = Read-Host -AsSecureString -Prompt "Enter the certificate password"
New-D365EntraIntegration -ClientId $ApplicationId -CertificatePassword $securePassword

$CertificatePath = "$env:USERPROFILE\Desktop\CHEAuth.cer"
$AppObjectId = Read-Host -Prompt "Enter the object ID of the Azure Application"
.\Upload-Certificate.ps1 -AppObjectId $AppObjectId -CertificatePath $CertificatePath

$AdditionalRedirectURLs = @(
  "https://my-2nd-che-env0223456devaos.axcloud.dynamics.com",
  "https://my-2nd-che-env0223456devaos.axcloud.dynamics.com/oauth"
)
.\New-AzureAppRedirectURLs.ps1 -AppObjectId $AppObjectId -RedirectURLs $AdditionalRedirectURLs

Upload-Certificate.ps1

# Uploades the certificate to the Azure Application
# Based on https://blog.icewolf.ch/archive/2022/12/02/create-azure-ad-app-registration-with-microsoft-graph-powershell
# original gist: https://gist.github.com/FH-Inway/d55993312d1bb1aa2d63adfeed9946f3

[CmdletBinding()]
param (
    [Parameter(Mandatory = $true, HelpMessage = "The object ID of the Azure Application.")]
    [String]
    $AppObjectId,

    [Parameter(Mandatory = $true, HelpMessage = "The path to the certificate file.")]
    [String]
    $CertificatePath
)

# Install the PowerShell module "Microsoft.Graph" if it is not already installed.
# Install-Module -Name Microsoft.Graph.Authentication -Scope CurrentUser -Force
# Install-Module -Name Microsoft.Graph.Applications -Scope CurrentUser -Force

# You need to have the Azure Active Directory Role “Application Administrator” or “Application Developer”.
Connect-MgGraph -Scopes "Application.Read.All","Application.ReadWrite.All","User.Read.All"

$Certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($CertificatePath)
$KeyCredentials = @{
  Type = "AsymmetricX509Cert"
  Usage = "Verify"
  Key = $Certificate.RawData
}
Update-MgApplication -ApplicationId $AppObjectId -KeyCredentials $KeyCredentials -Verbose