-
-
Save phillipharding/677a2e1fdb6fa65077e2d082362600e0 to your computer and use it in GitHub Desktop.
Create custom Azure AD identity for use with CLI for Microsoft 365 using Azure CLI
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"isFallbackPublicClient": true, | |
"publicClient": { | |
"redirectUris": [ | |
"https://login.microsoftonline.com/common/oauth2/nativeclient" | |
] | |
}, | |
"web": { | |
"implicitGrantSettings": { | |
"enableIdTokenIssuance": false | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
appName='CLI for Microsoft 365 Identity' | |
# Create app registration | |
echo "Creating app registration ..." | |
spId=`az ad app create --display-name "${appName}" --oauth2-allow-implicit-flow false --query "objectId" --output tsv` | |
# Undocumented: You need to create the service principal to back the app registration | |
# https://github.com/Azure/azure-cli/issues/12797#issuecomment-612138520 | |
sp=`az ad sp create --id $spId` | |
appId=`az ad app show --id ${spId} --query "appId" --output tsv` | |
# Configure Microsoft Graph OAuth2 permissions | |
echo "Configuring Microsoft Graph OAuth2 permissions ..." | |
graphId=`az ad sp list --display-name "Microsoft Graph" --query "[0].appId" --output tsv` | |
appCatalogReadWriteAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='AppCatalog.ReadWrite.All'].id" --output tsv` | |
directoryAccessAsUserAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='Directory.AccessAsUser.All'].id" --output tsv` | |
directoryReadWriteAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='Directory.ReadWrite.All'].id" --output tsv` | |
groupReadWriteAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='Group.ReadWrite.All'].id" --output tsv` | |
identityProviderReadWriteAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='IdentityProvider.ReadWrite.All'].id" --output tsv` | |
mailSendId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='Mail.Send'].id" --output tsv` | |
reportsReadAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='Reports.Read.All'].id" --output tsv` | |
userInviteAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='User.Invite.All'].id" --output tsv` | |
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${appCatalogReadWriteAllId}=Scope" | |
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${directoryAccessAsUserAllId}=Scope" | |
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${directoryReadWriteAllId}=Scope" | |
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${groupReadWriteAllId}=Scope" | |
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${identityProviderReadWriteAllId}=Scope" | |
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${mailSendId}=Scope" | |
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${reportsReadAllId}=Scope" | |
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${userInviteAllId}=Scope" | |
az ad app permission grant --id ${appId} --api ${graphId} | |
# Configure SharePoint Online OAuth2 permissions | |
echo "Configuring SharePoint Online OAuth2 permissions ..." | |
spoId=`az ad sp list --display-name "Office 365 SharePoint Online" --query "[0].appId" --output tsv` | |
allSitesFullControlId=`az ad sp show --id ${spoId} --query "oauth2Permissions[?value=='AllSites.FullControl'].id" --output tsv` | |
userReadAllId=`az ad sp show --id ${spoId} --query "oauth2Permissions[?value=='User.Read.All'].id" --output tsv` | |
termStoreReadWriteAllId=`az ad sp show --id ${spoId} --query "oauth2Permissions[?value=='TermStore.ReadWrite.All'].id" --output tsv` | |
az ad app permission add --id ${spId} --api ${spoId} --api-permissions "${allSitesFullControlId}=Scope" | |
az ad app permission add --id ${spId} --api ${spoId} --api-permissions "${userReadAllId}=Scope" | |
az ad app permission add --id ${spId} --api ${spoId} --api-permissions "${termStoreReadWriteAllId}=Scope" | |
az ad app permission grant --id ${appId} --api ${spoId} | |
# Configure Windows Azure Service Management API OAuth2 permissions | |
echo "Configuring Windows Azure Service Management API OAuth2 permissions ..." | |
asmId=`az ad sp list --display-name "Windows Azure Service Management API" --query "[0].appId" --output tsv` | |
userImpersonationId=`az ad sp show --id ${asmId} --query "oauth2Permissions[?value=='user_impersonation'].id" --output tsv` | |
az ad app permission add --id ${spId} --api ${asmId} --api-permissions "${userImpersonationId}=Scope" | |
az ad app permission grant --id ${appId} --api ${asmId} | |
# Configure Windows Azure Active Directory OAuth2 permissions | |
echo "Configuring Windows Azure Active Directory OAuth2 permissions ..." | |
aadId=`az ad sp list --display-name "Windows Azure Active Directory" --query "[0].appId" --output tsv` | |
directoryAccessAsUserAllId=`az ad sp show --id ${aadId} --query "oauth2Permissions[?value=='Directory.AccessAsUser.All'].id" --output tsv` | |
az ad app permission add --id ${spId} --api ${aadId} --api-permissions "${directoryAccessAsUserAllId}=Scope" | |
az ad app permission grant --id ${appId} --api ${aadId} | |
# Grant admin consent for app registration API permissions | |
echo "Granting admin consent for app registration API permissions ..." | |
az ad app permission admin-consent --id ${appId} | |
# Configure app registration authentication | |
echo "Configuring app registration authentication settings ..." | |
az rest --method patch --uri "https://graph.microsoft.com/v1.0/applications/${spId}" --headers 'Content-Type=application/json' --body @body.json | |
# Get Tenant Id | |
tenantId=`az account show --query "homeTenantId" --output tsv` | |
echo "To use your custom identity, update your environment variables ..." | |
echo "export CLIMICROSOFT365_AADAPPID=${appId}" | |
echo "export CLIMICROSOFT365_TENANT=${tenantId}" | |
echo "... and then login to your Microsoft 365 tenant ..." | |
echo "m365 login" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment