Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Create custom Azure AD identity for use with CLI for Microsoft 365 using Azure CLI
{
"isFallbackPublicClient": true,
"publicClient": {
"redirectUris": [
"https://login.microsoftonline.com/common/oauth2/nativeclient"
]
},
"web": {
"implicitGrantSettings": {
"enableIdTokenIssuance": false
}
}
}
appName='CLI for Microsoft 365 Identity'
# Create app registration
echo "Creating app registration ..."
spId=`az ad app create --display-name "${appName}" --oauth2-allow-implicit-flow false --query "objectId" --output tsv`
# Undocumented: You need to create the service principal to back the app registration
# https://github.com/Azure/azure-cli/issues/12797#issuecomment-612138520
sp=`az ad sp create --id $spId`
appId=`az ad app show --id ${spId} --query "appId" --output tsv`
# Configure Microsoft Graph OAuth2 permissions
echo "Configuring Microsoft Graph OAuth2 permissions ..."
graphId=`az ad sp list --display-name "Microsoft Graph" --query "[0].appId" --output tsv`
appCatalogReadWriteAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='AppCatalog.ReadWrite.All'].id" --output tsv`
directoryAccessAsUserAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='Directory.AccessAsUser.All'].id" --output tsv`
directoryReadWriteAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='Directory.ReadWrite.All'].id" --output tsv`
groupReadWriteAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='Group.ReadWrite.All'].id" --output tsv`
identityProviderReadWriteAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='IdentityProvider.ReadWrite.All'].id" --output tsv`
mailSendId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='Mail.Send'].id" --output tsv`
reportsReadAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='Reports.Read.All'].id" --output tsv`
userInviteAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='User.Invite.All'].id" --output tsv`
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${appCatalogReadWriteAllId}=Scope"
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${directoryAccessAsUserAllId}=Scope"
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${directoryReadWriteAllId}=Scope"
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${groupReadWriteAllId}=Scope"
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${identityProviderReadWriteAllId}=Scope"
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${mailSendId}=Scope"
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${reportsReadAllId}=Scope"
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${userInviteAllId}=Scope"
az ad app permission grant --id ${appId} --api ${graphId}
# Configure SharePoint Online OAuth2 permissions
echo "Configuring SharePoint Online OAuth2 permissions ..."
spoId=`az ad sp list --display-name "Office 365 SharePoint Online" --query "[0].appId" --output tsv`
allSitesFullControlId=`az ad sp show --id ${spoId} --query "oauth2Permissions[?value=='AllSites.FullControl'].id" --output tsv`
userReadAllId=`az ad sp show --id ${spoId} --query "oauth2Permissions[?value=='User.Read.All'].id" --output tsv`
termStoreReadWriteAllId=`az ad sp show --id ${spoId} --query "oauth2Permissions[?value=='TermStore.ReadWrite.All'].id" --output tsv`
az ad app permission add --id ${spId} --api ${spoId} --api-permissions "${allSitesFullControlId}=Scope"
az ad app permission add --id ${spId} --api ${spoId} --api-permissions "${userReadAllId}=Scope"
az ad app permission add --id ${spId} --api ${spoId} --api-permissions "${termStoreReadWriteAllId}=Scope"
az ad app permission grant --id ${appId} --api ${spoId}
# Configure Windows Azure Service Management API OAuth2 permissions
echo "Configuring Windows Azure Service Management API OAuth2 permissions ..."
asmId=`az ad sp list --display-name "Windows Azure Service Management API" --query "[0].appId" --output tsv`
userImpersonationId=`az ad sp show --id ${asmId} --query "oauth2Permissions[?value=='user_impersonation'].id" --output tsv`
az ad app permission add --id ${spId} --api ${asmId} --api-permissions "${userImpersonationId}=Scope"
az ad app permission grant --id ${appId} --api ${asmId}
# Configure Windows Azure Active Directory OAuth2 permissions
echo "Configuring Windows Azure Active Directory OAuth2 permissions ..."
aadId=`az ad sp list --display-name "Windows Azure Active Directory" --query "[0].appId" --output tsv`
directoryAccessAsUserAllId=`az ad sp show --id ${aadId} --query "oauth2Permissions[?value=='Directory.AccessAsUser.All'].id" --output tsv`
az ad app permission add --id ${spId} --api ${aadId} --api-permissions "${directoryAccessAsUserAllId}=Scope"
az ad app permission grant --id ${appId} --api ${aadId}
# Grant admin consent for app registration API permissions
echo "Granting admin consent for app registration API permissions ..."
az ad app permission admin-consent --id ${appId}
# Configure app registration authentication
echo "Configuring app registration authentication settings ..."
az rest --method patch --uri "https://graph.microsoft.com/v1.0/applications/${spId}" --headers 'Content-Type=application/json' --body @body.json
# Get Tenant Id
tenantId=`az account show --query "homeTenantId" --output tsv`
echo "To use your custom identity, update your environment variables ..."
echo "export CLIMICROSOFT365_AADAPPID=${appId}"
echo "export CLIMICROSOFT365_TENANT=${tenantId}"
echo "... and then login to your Microsoft 365 tenant ..."
echo "m365 login"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment