Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Create custom Azure AD identity for use with CLI for Microsoft 365 using Azure CLI
#!/usr/bin/env zsh
function createAppRegistration (){
local appName=$1
appObjectId=`az ad app create --display-name "${appName}" --oauth2-allow-implicit-flow false --query "objectId" --output tsv`
# Undocumented: You need to create the service principal to back the app registration
# https://github.com/Azure/azure-cli/issues/12797#issuecomment-612138520
sp=`az ad sp create --id ${appObjectId}`
appId=`az ad app show --id ${appObjectId} --query "appId" --output tsv`
echo "${appId}"
}
function addDelegatePermission (){
local appId=$1
local sp=$2
local scope=$3
spId=`az ad sp list --display-name "${sp}" --query "[0].appId" --output tsv`
scopeId=`az ad sp show --id ${spId} --query "oauth2Permissions[?value=='${scope}'].id" --output tsv`
count=`az ad app permission list --id ${appId} --query "length([*].resourceAccess[?id=='${scopeId}'] | [])" --output tsv`
if [ $count -eq 0 ]; then
echo "Adding ${scope} permission for ${sp} ..."
az ad app permission add --id ${appId} --api ${spId} --api-permissions "${scopeId}=Scope"
else
echo "${scope} already listed in permissions ... skipping ..."
fi
}
function grantAdminConsent (){
local appId=$1
az ad app permission admin-consent --id ${appId}
}
function updatePlatformConfiguration () {
local appId=$1
appObjectId=`az ad app show --id ${appId} --query "objectId" --output tsv`
az rest --method patch --uri "https://graph.microsoft.com/v1.0/applications/${appObjectId}" --headers 'Content-Type=application/json' --body "{\"isFallbackPublicClient\":true,\"publicClient\":{\"redirectUris\":[\"https://login.microsoftonline.com/common/oauth2/nativeclient\"]},\"web\":{\"implicitGrantSettings\":{\"enableIdTokenIssuance\":false}}}"
}
echo "Creating app registration ..."
appName='CLI for Microsoft 365 Identity'
appId=`createAppRegistration $appName`
echo "Adding delegate permissions ..."
addDelegatePermission ${appId} "Microsoft Graph" "AppCatalog.ReadWrite.All"
addDelegatePermission ${appId} "Microsoft Graph" "Directory.AccessAsUser.All"
addDelegatePermission ${appId} "Microsoft Graph" "Directory.ReadWrite.All"
addDelegatePermission ${appId} "Microsoft Graph" "Group.ReadWrite.All"
addDelegatePermission ${appId} "Microsoft Graph" "IdentityProvider.ReadWrite.All"
addDelegatePermission ${appId} "Microsoft Graph" "Mail.Send"
addDelegatePermission ${appId} "Microsoft Graph" "Reports.Read.All"
addDelegatePermission ${appId} "Microsoft Graph" "TeamsAppInstallation.ReadWriteForUser"
addDelegatePermission ${appId} "Microsoft Graph" "User.Invite.All"
addDelegatePermission ${appId} "Office 365 SharePoint Online" "AllSites.FullControl"
addDelegatePermission ${appId} "Office 365 SharePoint Online" "User.Read.All"
addDelegatePermission ${appId} "Office 365 SharePoint Online" "TermStore.ReadWrite.All"
addDelegatePermission ${appId} "Windows Azure Active Directory" "Directory.AccessAsUser.All"
addDelegatePermission ${appId} "Windows Azure Service Management API" "user_impersonation"
echo "Granting admin consent ..."
grantAdminConsent ${appId}
echo "Updating plaform configuration ..."
updatePlatformConfiguration ${appId}
tenantId=`az account show --query "homeTenantId" --output tsv`
echo "Execute the following commands in the prompt to use the identity and login to Microsoft 365 ..."
echo "<!--- BEGIN ---!>"
echo "export CLIMICROSOFT365_AADAPPID=${appId}"
echo "export CLIMICROSOFT365_TENANT=${tenantId}"
echo "m365 login"
echo "<!--- END ---!>"
echo "Done"
@garrytrinder
Copy link
Author

garrytrinder commented Oct 17, 2020

Updated script to use functions, which makes it much easier to read and also easier to configure permissions to users needs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment