|
<# |
|
To execute the steps, the id of an Azure application must be provided. The application must have the following API permissions: |
|
|
|
- Dynamics ERP - This permission is required to access finance and operations environments. |
|
- Microsoft Graph (User.Read.All and Group.Read.All permissions of the Application type). |
|
- Dynamics Lifecylce service (permission of type Delegated) |
|
#> |
|
|
|
# Based on https://blog.icewolf.ch/archive/2022/12/02/create-azure-ad-app-registration-with-microsoft-graph-powershell |
|
# original gist: https://gist.github.com/FH-Inway/d55993312d1bb1aa2d63adfeed9946f3 |
|
|
|
[CmdletBinding()] |
|
param ( |
|
[Parameter(Mandatory = $true, HelpMessage = "The name of the Azure Application.")] |
|
[String] |
|
$ApplicationName = "D365FO-CHE-Entra-Integration", |
|
|
|
[Parameter(Mandatory = $true, HelpMessage = "The redirect URLs to add to the Azure Application.")] |
|
[String] |
|
$RedirectURLs |
|
) |
|
|
|
# Install the PowerShell module "Microsoft.Graph" if it is not already installed. |
|
# Install-Module -Name Microsoft.Graph.Authentication -Scope CurrentUser -Force |
|
# Install-Module -Name Microsoft.Graph.Applications -Scope CurrentUser -Force |
|
|
|
# You need to have the Azure Active Directory Role “Application Administrator” or “Application Developer”. |
|
Connect-MgGraph -Scopes "Application.Read.All","Application.ReadWrite.All","User.Read.All" |
|
|
|
$Description = "https://learn.microsoft.com/en-us/dynamics365/fin-ops-core/dev-itpro/dev-tools/secure-developer-vm#external-integrations" |
|
|
|
# API permissions |
|
|
|
$DelegatedType = "Scope" |
|
$ApplicationType = "Role" |
|
|
|
## Dynamics ERP |
|
$AXFullAccess = @{ |
|
Id = "6397893c-2260-496b-a41d-2f1f15b16ff3" |
|
Type = $DelegatedType |
|
} |
|
$ConnectorFullAccess = @{ |
|
Id = "add75854-3691-457b-84bc-76bc249f1b6f" |
|
Type = $ApplicationType |
|
} |
|
$CustomServiceFullAccess = @{ |
|
Id = "ad8b4a5c-eecd-431a-a46f-33c060012ae1" |
|
Type = $DelegatedType |
|
} |
|
$OdataFullAccess = @{ |
|
Id = "a849e696-ce45-464a-81de-e5c5b45519c1" |
|
Type = $DelegatedType |
|
} |
|
$DynamicsERP = @{ |
|
ResourceAppId = "00000015-0000-0000-c000-000000000000" |
|
ResourceAccess = @($AXFullAccess, $ConnectorFullAccess, $CustomServiceFullAccess, $OdataFullAccess) |
|
} |
|
|
|
## Microsoft Graph |
|
$UserReadAll = @{ |
|
Id = "5b567255-7703-4780-807c-7be8301ae99b" |
|
Type = $ApplicationType |
|
} |
|
$GroupReadAll = @{ |
|
Id = "df021288-bdef-4463-88db-98f22de89214" |
|
Type = $ApplicationType |
|
} |
|
$MicrosoftGraph = @{ |
|
ResourceAppId = "00000003-0000-0000-c000-000000000000" |
|
ResourceAccess = @($UserReadAll, $GroupReadAll) |
|
} |
|
|
|
## Dynamics Lifecycle Services |
|
$UserImpersonation = @{ |
|
Id = "a8737248-d2c2-4a7c-9759-3dfaad5c2f19" |
|
Type = $DelegatedType |
|
} |
|
$DynamicsLifecycle = @{ |
|
ResourceAppId = "913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0" |
|
ResourceAccess = @($UserImpersonation) |
|
} |
|
|
|
$RequiredResourceAccessList = @($DynamicsERP, $MicrosoftGraph, $DynamicsLifecycle) |
|
|
|
$params = @{ |
|
DisplayName = $ApplicationName |
|
Description = $Description |
|
RequiredResourceAccess = $RequiredResourceAccessList |
|
Web = @{ |
|
RedirectUris = $RedirectURLs |
|
} |
|
} |
|
$app = New-MgApplication @params -Verbose |
|
|
|
Start-Sleep -Seconds 5 |
|
$AdminConsentURL = "https://login.microsoftonline.com/$($app.PublisherDomain)/adminconsent?client_id=$($app.AppId)" |
|
Start-Process $AdminConsentURL |
|
|
|
Write-Output "Azure application $DisplayName was created. Use the following AppId to configure the integration: $($app.AppId)" |
|
Write-Output "Use the applicatio object id $($app.Id) to upload the certificate." |