How to assign Permissions to Azure AD App by using PowerShell?

I have published my last blog to describe to PowerShell script to register the App in the Azure AD,In this blog we will discuss the PowerShell script to assign the necessary permissions for the App.

STEP 1. Install install Azure Ad module in PowerShell. If you have not installed the Azure AD module earlier install it with this command-let otherwise leave this step.

#Install Azure Ad module in PowerShell if not installed earlier otherwise leave this step.
Install-module AzureAD 

STEP 2: Connect to Azure AD. First we need to use credential object to store the credentials. This credential will be used to login to Azure.Once you connect to Azure AD the command will show you the tenant info as output which means your connection is successful.

#Store the credential and use these credentials to connect to Azure AD.
$Credentials = Get-Credential 

# Now connect to Azure AD
Connect-AzureAD -Credential $Credentials 

STEP 3: Create a service Principal object for which you want to Assign the permission. For example you want to assign the permission for Power BI App then the Service principal object will be of Power BI Service. Similarly if this object is of Windows Azure AD then you need to search it will it’s specific name. If you are not sure about the name then run this command-let and find the specific name which can be used in the next command-let,

Get-AzureADServicePrincipal -All $true 

STEP 4 :Now get the Service Principal object for the specific service. In our scenario we want to get the service principal for Power BI Services and Windows Azure Active Directory

$svcprincipalPbi = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -match "Power BI Service" }

$svcprincipalAAD = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -match "Windows Azure Active Directory" }

STEP 5: Find the roles assigned for the services principals created before.

$svcprincipalPbi.AppRoles | FT ID, DisplayName
$svcprincipalAAD.AppRoles | FT ID, DisplayName

STEP 6: Show the delegated permissions for service principals.

# Show the Delegated Permissions
$svcprincipalPbi.Oauth2Permissions | FT ID, UserConsentDisplayName
$svcprincipalAAD.Oauth2Permissions | FT ID, UserConsentDisplayName

Please note down these ID values because we will use them in next step.

STEP 7: Create a Resource Access resource object and assign the service principal’s App ID to it.


$Pbi = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Pbi.ResourceAppId = $svcprincipalPbi.AppId

$Aad = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Aad.ResourceAppId = $svcprincipalAAD.AppId

STEP 8:Create a set of delegated permissions based on the ID noted down from Step 6.


$delPermission1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "a42657d6-7f20-40e3-b6f0-cee03008a62a","Scope" ## Access the directory as you

$delPermission4 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "47df08d3-85e6-4bd3-8c77-680fbe28162e","Scope" ## View all Groups

$delPermission3 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "a65a6bd9-0978-46d6-a261-36b3e6fdd32e","Scope" ## View users Groups

$delPermission2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "ddd37690-e119-40c5-a821-3746ea6125c4","Scope" ## Read and write all dataflows

$delPermission5 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "4ae1bf56-f562-4747-b7bc-2fa0874ed46f","Scope" ## View all Reports

$delPermission6 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "f3076109-ca66-412a-be10-d4ee1be95d47","Scope" ## Create content

$delPermission7 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "322b68b2-0804-416e-86a5-d772c567b6e6","Scope" ## Read and Write all Datasets

$delPermission8 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "7f33e027-4039-419b-938e-2f8ca153e68e","Scope" ## View all Datasets

$delPermission9 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "2448370f-f988-42cd-909c-6528efd67c1a","Scope" ## View all Dashboards

$delPermission10 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "ecc85717-98b0-4465-af6d-1cbba6f9c961","Scope" ## Add data to any of your datasets in Power BI

$delPermission11 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "b271f05e-8329-4b97-baa4-91cf15b99cf1","Scope" ## Read and Write all Dashboards

$delPermission12 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "445002fb-a6f2-4dc1-a81e-4254a111cd29","Scope" ## Read and write all workspaces

$delPermission13 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "b2f1b2fa-f35c-407c-979c-a858a808ba85","Scope" ## View all workspaces

STEP 9: Assign the delegated permissions to the resource access objects created at step 7.


$Aad.ResourceAccess = $delPermission1

$Pbi.ResourceAccess = $delPermission2, $delPermission3 , $delPermission4 
, $delPermission5 , $delPermission6 , $delPermission7 , $delPermission8 ,
 $delPermission9 , $delPermission10 , $delPermission11 , $delPermission12 , $delPermission13 

STEP 10: Now get the reference to the application ID created in last blog and set the required resource access object to the application id so permissions can be assigned.


$ADApplication = Get-AzureADApplication -All $true | ? { $_.AppId -match " Your application ID created earlier for which you want to set the permissions" }

Set-AzureADApplication -ObjectId $ADApplication.ObjectId -RequiredResourceAccess $Pbi, $Aad

Here is the full script. You can change the application ID and rerun the script if you want to repeat the same steps.

$Credentials = Get-Credential 
Connect-AzureAD -Credential $Credentials 

$svcprincipalPbi = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -match "Power BI Service" }
$svcprincipalAAD = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -match "Windows Azure Active Directory" }


$svcprincipalPbi.AppRoles | FT ID, DisplayName
$svcprincipalAAD.AppRoles | FT ID, DisplayName


# Show the Delegated Permissions
$svcprincipalPbi.Oauth2Permissions | FT ID, UserConsentDisplayName
$svcprincipalAAD.Oauth2Permissions | FT ID, UserConsentDisplayName


$Pbi = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Pbi.ResourceAppId = $svcprincipalPbi.AppId


$Aad = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Aad.ResourceAppId = $svcprincipalAAD.AppId


$delPermission1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "a42657d6-7f20-40e3-b6f0-cee03008a62a","Scope" ## Access the directory as you

$delPermission4 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "47df08d3-85e6-4bd3-8c77-680fbe28162e","Scope" ## View all Groups

$delPermission3 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "a65a6bd9-0978-46d6-a261-36b3e6fdd32e","Scope" ## View users Groups

$delPermission2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "ddd37690-e119-40c5-a821-3746ea6125c4","Scope" ## Read and write all dataflows

$delPermission5 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "4ae1bf56-f562-4747-b7bc-2fa0874ed46f","Scope" ## View all Reports

$delPermission6 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "f3076109-ca66-412a-be10-d4ee1be95d47","Scope" ## Create content

$delPermission7 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "322b68b2-0804-416e-86a5-d772c567b6e6","Scope" ## Read and Write all Datasets

$delPermission8 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "7f33e027-4039-419b-938e-2f8ca153e68e","Scope" ## View all Datasets

$delPermission9 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "2448370f-f988-42cd-909c-6528efd67c1a","Scope" ## View all Dashboards

$delPermission10 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "ecc85717-98b0-4465-af6d-1cbba6f9c961","Scope" ## Add data to any of your datasets in Power BI

$delPermission11 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "b271f05e-8329-4b97-baa4-91cf15b99cf1","Scope" ## Read and Write all Dashboards

$delPermission12 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "445002fb-a6f2-4dc1-a81e-4254a111cd29","Scope" ## Read and write all workspaces

$delPermission13 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "b2f1b2fa-f35c-407c-979c-a858a808ba85","Scope" ## View all workspaces



$Aad.ResourceAccess = $delPermission1

$Pbi.ResourceAccess = $delPermission2, $delPermission3 , $delPermission4 

, $delPermission5 , $delPermission6 , $delPermission7 , $delPermission8 ,

 $delPermission9 , $delPermission10 , $delPermission11 , $delPermission12 , $delPermission13 


 
$ADApplication = Get-AzureADApplication -All $true | ? { $_.AppId -match "Your application ID created earlier for which you want to set the permissions" }

Set-AzureADApplication -ObjectId $ADApplication.ObjectId -RequiredResourceAccess $Pbi, $Aad

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.