Create custom Azure AD identity for use with CLI for Microsoft 365 using Azure CLI

body.json

{
  "isFallbackPublicClient": true,
  "publicClient": {
    "redirectUris": [
      "https://login.microsoftonline.com/common/oauth2/nativeclient"
    ]
  },
  "web": {
    "implicitGrantSettings": {
      "enableIdTokenIssuance": false
    }
  }
}

m365-identity.sh

appName='CLI for Microsoft 365 Identity'

# Create app registration
echo "Creating app registration ..."
spId=`az ad app create --display-name "${appName}" --oauth2-allow-implicit-flow false --query "objectId" --output tsv`
# Undocumented: You need to create the service principal to back the app registration
# https://github.com/Azure/azure-cli/issues/12797#issuecomment-612138520
sp=`az ad sp create --id $spId`
appId=`az ad app show --id ${spId} --query "appId" --output tsv`

# Configure Microsoft Graph OAuth2 permissions
echo "Configuring Microsoft Graph OAuth2 permissions ..."
graphId=`az ad sp list --display-name "Microsoft Graph" --query "[0].appId" --output tsv`
appCatalogReadWriteAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='AppCatalog.ReadWrite.All'].id" --output tsv`
directoryAccessAsUserAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='Directory.AccessAsUser.All'].id" --output tsv`
directoryReadWriteAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='Directory.ReadWrite.All'].id" --output tsv`
groupReadWriteAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='Group.ReadWrite.All'].id" --output tsv`
identityProviderReadWriteAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='IdentityProvider.ReadWrite.All'].id" --output tsv`
mailSendId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='Mail.Send'].id" --output tsv`
reportsReadAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='Reports.Read.All'].id" --output tsv`
userInviteAllId=`az ad sp show --id ${graphId} --query "oauth2Permissions[?value=='User.Invite.All'].id" --output tsv`
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${appCatalogReadWriteAllId}=Scope"
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${directoryAccessAsUserAllId}=Scope"
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${directoryReadWriteAllId}=Scope"
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${groupReadWriteAllId}=Scope"
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${identityProviderReadWriteAllId}=Scope"
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${mailSendId}=Scope"
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${reportsReadAllId}=Scope"
az ad app permission add --id ${spId} --api ${graphId} --api-permissions "${userInviteAllId}=Scope"
az ad app permission grant --id ${appId} --api ${graphId}

# Configure SharePoint Online OAuth2 permissions
echo "Configuring SharePoint Online OAuth2 permissions ..."
spoId=`az ad sp list --display-name "Office 365 SharePoint Online" --query "[0].appId" --output tsv`
allSitesFullControlId=`az ad sp show --id ${spoId} --query "oauth2Permissions[?value=='AllSites.FullControl'].id" --output tsv`
userReadAllId=`az ad sp show --id ${spoId} --query "oauth2Permissions[?value=='User.Read.All'].id" --output tsv`
termStoreReadWriteAllId=`az ad sp show --id ${spoId} --query "oauth2Permissions[?value=='TermStore.ReadWrite.All'].id" --output tsv`
az ad app permission add --id ${spId} --api ${spoId} --api-permissions "${allSitesFullControlId}=Scope"
az ad app permission add --id ${spId} --api ${spoId} --api-permissions "${userReadAllId}=Scope"
az ad app permission add --id ${spId} --api ${spoId} --api-permissions "${termStoreReadWriteAllId}=Scope"
az ad app permission grant --id ${appId} --api ${spoId}

# Configure Windows Azure Service Management API OAuth2 permissions
echo "Configuring Windows Azure Service Management API OAuth2 permissions ..."
asmId=`az ad sp list --display-name "Windows Azure Service Management API" --query "[0].appId" --output tsv`
userImpersonationId=`az ad sp show --id ${asmId} --query "oauth2Permissions[?value=='user_impersonation'].id" --output tsv`
az ad app permission add --id ${spId} --api ${asmId} --api-permissions "${userImpersonationId}=Scope"
az ad app permission grant --id ${appId} --api ${asmId}

# Configure Windows Azure Active Directory OAuth2 permissions
echo "Configuring Windows Azure Active Directory OAuth2 permissions ..."
aadId=`az ad sp list --display-name "Windows Azure Active Directory" --query "[0].appId" --output tsv`
directoryAccessAsUserAllId=`az ad sp show --id ${aadId} --query "oauth2Permissions[?value=='Directory.AccessAsUser.All'].id" --output tsv`
az ad app permission add --id ${spId} --api ${aadId} --api-permissions "${directoryAccessAsUserAllId}=Scope"
az ad app permission grant --id ${appId} --api ${aadId}

# Grant admin consent for app registration API permissions
echo "Granting admin consent for app registration API permissions ..."
az ad app permission admin-consent --id ${appId}

# Configure app registration authentication
echo "Configuring app registration authentication settings ..."
az rest --method patch --uri "https://graph.microsoft.com/v1.0/applications/${spId}" --headers 'Content-Type=application/json' --body @body.json

# Get Tenant Id
tenantId=`az account show --query "homeTenantId" --output tsv`

echo "To use your custom identity, update your environment variables ..."
echo "export CLIMICROSOFT365_AADAPPID=${appId}"
echo "export CLIMICROSOFT365_TENANT=${tenantId}"
echo "... and then login to your Microsoft 365 tenant ..."
echo "m365 login"