Last active
October 3, 2023 12:04
-
-
Save garrytrinder/27124b2670580ba97d1a04fe86724758 to your computer and use it in GitHub Desktop.
Create custom Azure AD identity for use with CLI for Microsoft 365 using Azure CLI
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env zsh | |
function createAppRegistration (){ | |
local appName=$1 | |
appObjectId=`az ad app create --display-name "${appName}" --oauth2-allow-implicit-flow false --query "objectId" --output tsv` | |
# Undocumented: You need to create the service principal to back the app registration | |
# https://github.com/Azure/azure-cli/issues/12797#issuecomment-612138520 | |
sp=`az ad sp create --id ${appObjectId}` | |
appId=`az ad app show --id ${appObjectId} --query "appId" --output tsv` | |
echo "${appId}" | |
} | |
function addDelegatePermission (){ | |
local appId=$1 | |
local sp=$2 | |
local scope=$3 | |
spId=`az ad sp list --display-name "${sp}" --query "[0].appId" --output tsv` | |
scopeId=`az ad sp show --id ${spId} --query "oauth2Permissions[?value=='${scope}'].id" --output tsv` | |
count=`az ad app permission list --id ${appId} --query "length([*].resourceAccess[?id=='${scopeId}'] | [])" --output tsv` | |
if [ $count -eq 0 ]; then | |
echo "Adding ${scope} permission for ${sp} ..." | |
az ad app permission add --id ${appId} --api ${spId} --api-permissions "${scopeId}=Scope" | |
else | |
echo "${scope} already listed in permissions ... skipping ..." | |
fi | |
} | |
function grantAdminConsent (){ | |
local appId=$1 | |
az ad app permission admin-consent --id ${appId} | |
} | |
function updatePlatformConfiguration () { | |
local appId=$1 | |
appObjectId=`az ad app show --id ${appId} --query "objectId" --output tsv` | |
az rest --method patch --uri "https://graph.microsoft.com/v1.0/applications/${appObjectId}" --headers 'Content-Type=application/json' --body "{\"isFallbackPublicClient\":true,\"publicClient\":{\"redirectUris\":[\"https://login.microsoftonline.com/common/oauth2/nativeclient\"]},\"web\":{\"implicitGrantSettings\":{\"enableIdTokenIssuance\":false}}}" | |
} | |
echo "Creating app registration ..." | |
appName='CLI for Microsoft 365 Identity' | |
appId=`createAppRegistration $appName` | |
echo "Adding delegate permissions ..." | |
addDelegatePermission ${appId} "Microsoft Graph" "AppCatalog.ReadWrite.All" | |
addDelegatePermission ${appId} "Microsoft Graph" "Directory.AccessAsUser.All" | |
addDelegatePermission ${appId} "Microsoft Graph" "Directory.ReadWrite.All" | |
addDelegatePermission ${appId} "Microsoft Graph" "Group.ReadWrite.All" | |
addDelegatePermission ${appId} "Microsoft Graph" "IdentityProvider.ReadWrite.All" | |
addDelegatePermission ${appId} "Microsoft Graph" "Mail.Send" | |
addDelegatePermission ${appId} "Microsoft Graph" "Reports.Read.All" | |
addDelegatePermission ${appId} "Microsoft Graph" "TeamsAppInstallation.ReadWriteForUser" | |
addDelegatePermission ${appId} "Microsoft Graph" "User.Invite.All" | |
addDelegatePermission ${appId} "Office 365 SharePoint Online" "AllSites.FullControl" | |
addDelegatePermission ${appId} "Office 365 SharePoint Online" "User.Read.All" | |
addDelegatePermission ${appId} "Office 365 SharePoint Online" "TermStore.ReadWrite.All" | |
addDelegatePermission ${appId} "Windows Azure Active Directory" "Directory.AccessAsUser.All" | |
addDelegatePermission ${appId} "Windows Azure Service Management API" "user_impersonation" | |
echo "Granting admin consent ..." | |
grantAdminConsent ${appId} | |
echo "Updating plaform configuration ..." | |
updatePlatformConfiguration ${appId} | |
tenantId=`az account show --query "homeTenantId" --output tsv` | |
echo "Execute the following commands in the prompt to use the identity and login to Microsoft 365 ..." | |
echo "<!--- BEGIN ---!>" | |
echo "export CLIMICROSOFT365_AADAPPID=${appId}" | |
echo "export CLIMICROSOFT365_TENANT=${tenantId}" | |
echo "m365 login" | |
echo "<!--- END ---!>" | |
echo "Done" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Updated script to use functions, which makes it much easier to read and also easier to configure permissions to users needs.