Create custom Azure AD identity for use with CLI for Microsoft 365 using Azure CLI

m365-identity.sh

#!/usr/bin/env zsh

function createAppRegistration (){
    local appName=$1
    
    appObjectId=`az ad app create --display-name "${appName}" --oauth2-allow-implicit-flow false --query "objectId" --output tsv`
    # Undocumented: You need to create the service principal to back the app registration
    # https://github.com/Azure/azure-cli/issues/12797#issuecomment-612138520
    sp=`az ad sp create --id ${appObjectId}`
    appId=`az ad app show --id ${appObjectId} --query "appId" --output tsv`
    
    echo "${appId}"
}

function addDelegatePermission (){
    local appId=$1
    local sp=$2
    local scope=$3
    
    spId=`az ad sp list --display-name "${sp}" --query "[0].appId" --output tsv`
    scopeId=`az ad sp show --id ${spId} --query "oauth2Permissions[?value=='${scope}'].id" --output tsv`
    count=`az ad app permission list --id ${appId} --query "length([*].resourceAccess[?id=='${scopeId}'] | [])" --output tsv`
    
    if [ $count -eq 0 ]; then
        echo "Adding ${scope} permission for ${sp} ..."
        az ad app permission add --id ${appId} --api ${spId} --api-permissions "${scopeId}=Scope"
    else
        echo "${scope} already listed in permissions ... skipping ..."
    fi
}

function grantAdminConsent (){
    local appId=$1
    
    az ad app permission admin-consent --id ${appId}
}

function updatePlatformConfiguration () {
    local appId=$1
    
    appObjectId=`az ad app show --id ${appId} --query "objectId" --output tsv`
    az rest --method patch --uri "https://graph.microsoft.com/v1.0/applications/${appObjectId}" --headers 'Content-Type=application/json' --body "{\"isFallbackPublicClient\":true,\"publicClient\":{\"redirectUris\":[\"https://login.microsoftonline.com/common/oauth2/nativeclient\"]},\"web\":{\"implicitGrantSettings\":{\"enableIdTokenIssuance\":false}}}"
}

echo "Creating app registration ..."
appName='CLI for Microsoft 365 Identity'
appId=`createAppRegistration $appName`

echo "Adding delegate permissions ..."
addDelegatePermission ${appId} "Microsoft Graph" "AppCatalog.ReadWrite.All"
addDelegatePermission ${appId} "Microsoft Graph" "Directory.AccessAsUser.All"
addDelegatePermission ${appId} "Microsoft Graph" "Directory.ReadWrite.All"
addDelegatePermission ${appId} "Microsoft Graph" "Group.ReadWrite.All"
addDelegatePermission ${appId} "Microsoft Graph" "IdentityProvider.ReadWrite.All"
addDelegatePermission ${appId} "Microsoft Graph" "Mail.Send"
addDelegatePermission ${appId} "Microsoft Graph" "Reports.Read.All"
addDelegatePermission ${appId} "Microsoft Graph" "TeamsAppInstallation.ReadWriteForUser"
addDelegatePermission ${appId} "Microsoft Graph" "User.Invite.All"
addDelegatePermission ${appId} "Office 365 SharePoint Online" "AllSites.FullControl"
addDelegatePermission ${appId} "Office 365 SharePoint Online" "User.Read.All"
addDelegatePermission ${appId} "Office 365 SharePoint Online" "TermStore.ReadWrite.All"
addDelegatePermission ${appId} "Windows Azure Active Directory" "Directory.AccessAsUser.All"
addDelegatePermission ${appId} "Windows Azure Service Management API" "user_impersonation"

echo "Granting admin consent ..."
grantAdminConsent ${appId}

echo "Updating plaform configuration ..."
updatePlatformConfiguration ${appId}

tenantId=`az account show --query "homeTenantId" --output tsv`
echo "Execute the following commands in the prompt to use the identity and login to Microsoft 365 ..."
echo "<!--- BEGIN ---!>"
echo "export CLIMICROSOFT365_AADAPPID=${appId}"
echo "export CLIMICROSOFT365_TENANT=${tenantId}"
echo "m365 login"
echo "<!---  END  ---!>"
echo "Done"

Updated script to use functions, which makes it much easier to read and also easier to configure permissions to users needs.