punitganshani/Permissions.md

## create_add_app_and_password.py
# https://learn.microsoft.com/en-us/graph/api/application-addpassword?view=graph-rest-1.0&tabs=http

import requests
import json
import time
from datetime import datetime, timedelta
import random

# Generate a random number
random_number = random.randint(1000, 9999)  # Adjust the range as needed

# Create the string
app_name = f"App_{random_number}"

# Azure AD B2C Constants
TENANT_ID = 'xxxxx-xxxxx-xxxxx-xxxxx'
CLIENT_ID = 'xxxxx-xxxxx-xxxxx-xxxxx'
CLIENT_SECRET = 'xxxxx-xxxxx-xxxxx-xxxxx'

# Token endpoint to get the access token
token_endpoint = f'https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token'

# Resource URL
resource_url = 'https://graph.microsoft.com'

# Scopes for the Microsoft Graph API
scopes = ['https://graph.microsoft.com/.default']

# Parameters to get the access token
token_data = {
    'grant_type': 'client_credentials',
    'client_id': CLIENT_ID,
    'client_secret': CLIENT_SECRET,
    'scope': ' '.join(scopes)
}

# Get access token
token_response = requests.post(token_endpoint, data=token_data)
access_token = token_response.json().get('access_token')

# Create app registration in Azure AD B2C
create_app_endpoint = f'{resource_url}/v1.0/{TENANT_ID}/applications'
headers = {
    'Authorization': f'Bearer {access_token}',
    'Content-Type': 'application/json'
}

app_registration_data = {
    "displayName": f"{app_name}",
    "signInAudience": "AzureADMyOrg",
    "requiredResourceAccess": [
        {
            "resourceAppId": "00000003-0000-0000-c000-000000000000",  # Microsoft Graph API ID
            "resourceAccess": [
                {
                    "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",  # Read Directory Data
                    "type": "Scope"
                }
            ]
        }
    ],
    "appRoles": [
        {
            "allowedMemberTypes": ["Application"],
            "displayName": "Read",
            "id": "d6a15e20-f83c-4264-8e61-5082688e14c8",
            "isEnabled": True,
            "description": "Readers have the ability to read tasks.",
            "value": "app.read"
        },
        {
            "allowedMemberTypes": ["Application"],
            "displayName": "Write",
            "id": "204dc4ab-51e1-439f-8c7f-31a1ebf3c7b9",
            "isEnabled": True,
            "description": "Writers have the ability to create tasks.",
            "value": "app.write"
        }]
}

response = requests.post(create_app_endpoint, headers=headers, json=app_registration_data)

if response.status_code == 201:
    print("App registration created successfully.")
    # print(response.content)

    # Parse the response content as JSON
    response_json = json.loads(response.content)

    # Extract the "id" from the JSON data
    application_object_id = response_json.get('id')
    app_id = response_json.get('appId')

    print("App:", app_name)
    print("AppId: ", app_id)
    print("AppObjectId: ", application_object_id)

    url_password = f'{resource_url}/v1.0/{TENANT_ID}/applications/{application_object_id}/addPassword'

    # Construct the request body with password credentials details
    password_credentials_data = {
        "passwordCredential": {
            "displayName": "System_Access_1"
        }
    }

    # Send the request to create password credentials
    response = requests.post(url_password, headers=headers, json=password_credentials_data)

    # Check the response
    if response.status_code == 200:
        print("Password credentials created successfully.")
        print("Response:", response.text)
    else:
        print("Failed to create password credentials. Status code:", response.status_code)
        print("Response:", response.text)
else:
    print("Error creating app registration:", response.text)

## Permissions.md

      
    Raw
  

              Permissions.md
            
          
    Create Registration App

Scope


Scope
Type
Description
Admin Consent


Application.Read.All
Application
Read all applications
Yes


Application.ReadWrite.All
Application
Read and write all applications
Yes


Application.ReadWrite.OwnedBy
Application
Manage apps that this app creates or owns
Yes


offline_access
Delegated
Maintain access to data you have given it access to
No


openid
Delegated
Sign users in
No


Secret

Generate ClientID and Secret of this app and leverage in the python script
	# https://learn.microsoft.com/en-us/graph/api/application-addpassword?view=graph-rest-1.0&tabs=http

	import requests
	import json
	import time
	from datetime import datetime, timedelta
	import random

	# Generate a random number
	random_number = random.randint(1000, 9999) # Adjust the range as needed

	# Create the string
	app_name = f"App_{random_number}"

	# Azure AD B2C Constants
	TENANT_ID = 'xxxxx-xxxxx-xxxxx-xxxxx'
	CLIENT_ID = 'xxxxx-xxxxx-xxxxx-xxxxx'
	CLIENT_SECRET = 'xxxxx-xxxxx-xxxxx-xxxxx'

	# Token endpoint to get the access token
	token_endpoint = f'https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token'

	# Resource URL
	resource_url = 'https://graph.microsoft.com'

	# Scopes for the Microsoft Graph API
	scopes = ['https://graph.microsoft.com/.default']

	# Parameters to get the access token
	token_data = {
	'grant_type': 'client_credentials',
	'client_id': CLIENT_ID,
	'client_secret': CLIENT_SECRET,
	'scope': ' '.join(scopes)
	}

	# Get access token
	token_response = requests.post(token_endpoint, data=token_data)
	access_token = token_response.json().get('access_token')

	# Create app registration in Azure AD B2C
	create_app_endpoint = f'{resource_url}/v1.0/{TENANT_ID}/applications'
	headers = {
	'Authorization': f'Bearer {access_token}',
	'Content-Type': 'application/json'
	}

	app_registration_data = {
	"displayName": f"{app_name}",
	"signInAudience": "AzureADMyOrg",
	"requiredResourceAccess": [
	{
	"resourceAppId": "00000003-0000-0000-c000-000000000000", # Microsoft Graph API ID
	"resourceAccess": [
	{
	"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d", # Read Directory Data
	"type": "Scope"
	}
	]
	}
	],
	"appRoles": [
	{
	"allowedMemberTypes": ["Application"],
	"displayName": "Read",
	"id": "d6a15e20-f83c-4264-8e61-5082688e14c8",
	"isEnabled": True,
	"description": "Readers have the ability to read tasks.",
	"value": "app.read"
	},
	{
	"allowedMemberTypes": ["Application"],
	"displayName": "Write",
	"id": "204dc4ab-51e1-439f-8c7f-31a1ebf3c7b9",
	"isEnabled": True,
	"description": "Writers have the ability to create tasks.",
	"value": "app.write"
	}]
	}

	response = requests.post(create_app_endpoint, headers=headers, json=app_registration_data)

	if response.status_code == 201:
	print("App registration created successfully.")
	# print(response.content)

	# Parse the response content as JSON
	response_json = json.loads(response.content)

	# Extract the "id" from the JSON data
	application_object_id = response_json.get('id')
	app_id = response_json.get('appId')

	print("App:", app_name)
	print("AppId: ", app_id)
	print("AppObjectId: ", application_object_id)

	url_password = f'{resource_url}/v1.0/{TENANT_ID}/applications/{application_object_id}/addPassword'

	# Construct the request body with password credentials details
	password_credentials_data = {
	"passwordCredential": {
	"displayName": "System_Access_1"
	}
	}

	# Send the request to create password credentials
	response = requests.post(url_password, headers=headers, json=password_credentials_data)

	# Check the response
	if response.status_code == 200:
	print("Password credentials created successfully.")
	print("Response:", response.text)
	else:
	print("Failed to create password credentials. Status code:", response.status_code)
	print("Response:", response.text)
	else:
	print("Error creating app registration:", response.text)
Scope	Type	Description	Admin Consent
Application.Read.All	Application	Read all applications	Yes
Application.ReadWrite.All	Application	Read and write all applications	Yes
Application.ReadWrite.OwnedBy	Application	Manage apps that this app creates or owns	Yes
offline_access	Delegated	Maintain access to data you have given it access to	No
openid	Delegated	Sign users in	No