Create Azure AD App Registration with Microsoft.Graph PowerShell

Hi All,

In this Blog Post i explain you how to create an Azure AD App Registration with the Microsoft.Graph PowerShell.
You need to have the Azure Active Directory Role "Application Administrator" or "Application Developer".


By the way. All the Code is used here is also on my GitHub Repo

#Import Module
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications

###############################################################################
#Connect-MgGraph
#Connect to your Azure Active Directory with "Application Adminstrator" or "Global Administrator" Role
###############################################################################
Connect-MgGraph -Scopes "Application.Read.All","Application.ReadWrite.All","User.Read.All"
Get-MgContext



That's the User Approval when you sign in to Microsoft Graph with these Scopes


###############################################################################
#Create AAD Application
###############################################################################
$AppName =  "DemoApp"
$App = New-MgApplication -DisplayName $AppName
$APPObjectID = $App.Id

###############################################################################
#List Applications
###############################################################################
Get-MgApplication -ApplicationId $APPObjectID



List all the Details of an Application

Get-MgApplication | Where-Object {$_.DisplayName -eq "DemoApp"} | Format-List


There you have it - the Application has been created


###############################################################################
#Add additional Owner
#The User who created the Application is automatically the Owner
###############################################################################
$User = Get-MgUser -UserId "m.muster@icewolf.ch"
$ObjectId = $User.ID
$NewOwner = @{
    "@odata.id"= "https://graph.microsoft.com/v1.0/directoryObjects/{$ObjectId}"
    }
New-MgApplicationOwnerByRef -ApplicationId $APPObjectID -BodyParameter $NewOwner



The Owner has been addet to the Application


###############################################################################
#Add a ClientSecret
###############################################################################
$passwordCred = @{
    "displayName" = "DemoClientSecret"
    "endDateTime" = (Get-Date).AddMonths(+12)
}
$ClientSecret2 = Add-MgApplicationPassword -ApplicationId $APPObjectID -PasswordCredential $passwordCred
$ClientSecret2
$ClientSecret2.SecretText

#Show ClientSecrets
$App = Get-MgApplication -ApplicationId $APPObjectID
$App.PasswordCredentials



You have to patient in the Portal. It takes a Minute or so and needs a refresh of the whole Page to see the Client Secret.



###############################################################################
#Create a Self Signed Certificate
###############################################################################
#Create SelfSignedCertificate
$Subject = "DemoCert"
$NotAfter = (Get-Date).AddMonths(+24)
$Cert = New-SelfSignedCertificate -Subject $Subject -CertStoreLocation "Cert:\CurrentUser\My" -KeySpec Signature -NotAfter $Notafter -KeyExportPolicy Exportable
$ThumbPrint = $Cert.ThumbPrint

#View Certificates in the Current User Certificate Store
Get-ChildItem -Path cert:\CurrentUser\my\$ThumbPrint | Format-Table

#Export Certificate as Base64 (PEM Format)
$CurrentLocation = (Get-Location).path
$Base64 = [convert]::tobase64string((get-item cert:\currentuser\my\$ThumbPrint).RawData)
$Base64Block = $Base64 |
ForEach-Object {
    $line = $_

    for ($i = 0; $i -lt $Base64.Length; $i += 64)
    {
        $length = [Math]::Min(64, $line.Length - $i)
        $line.SubString($i, $length)
    }
}
$base64Block2 = $Base64Block | Out-String

$Value = "-----BEGIN CERTIFICATE-----`r`n"
$Value += "$Base64Block2"
$Value += "-----END CERTIFICATE-----"
$Value
Set-Content -Path "$CurrentLocation\$Subject-BASE64.cer" -Value $Value



You can see the Certification in the Certificate Store of the Current User (certmgr.msc)


There are diffrent way of loading the Certificate in the $Cert Variable

###############################################################################
#Add Certificate to AzureAD App
###############################################################################
#Loading Cert from *.cer (PEM) File
$Subject = "CN=DemoCert"
$CurrentLocation = (Get-Location).path
$CertPath = $CurrentLocation + "\" + $Subject + "-BASE64.cer"
$Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate($CertPath)

#Get Certificate with Thumbprint from UserCertStore
$ThumbPrint = "07EFF3918F47995EB53B91848F69B5C0E78622FD"
$Cert = Get-ChildItem -Path cert:\CurrentUser\my\$ThumbPrint

#Get Certificate with SubjectName from UserCertStore
$Subject = "CN=DemoCert"
$Cert = Get-ChildItem -Path cert:\CurrentUser\my\ | Where-Object {$_.Subject -eq "$Subject"}  
$Cert

# Create a keyCredential (Certificate) for App
$keyCreds = @{
    Type = "AsymmetricX509Cert";
    Usage = "Verify";
    key = $cert.RawData
}
 
try {
   Update-MgApplication -ApplicationId $APPObjectID  -KeyCredentials $keyCreds
} catch {
   Write-Error $Error[0]
}

#Show Certificate of Azure AD Application
$App = Get-MgApplication -ApplicationId $APPObjectID
$App.KeyCredentials



You have to patient in the Portal. It takes a Minute or so and needs a refresh of the whole Page to see the Certificate.



Another way would be to add the Permission in the Portal and then check the Manifest.

###############################################################################
#Add Permissions
###############################################################################
#Add Delegated Permission
#User.ReadBasic.All    Delegated    b340eb25-3456-403f-be2f-af7a0d370277
$params = @{
    RequiredResourceAccess = @(
        @{
            ResourceAppId = "00000003-0000-0000-c000-000000000000"
            ResourceAccess = @(
                @{
                    Id = "b340eb25-3456-403f-be2f-af7a0d370277"
                    Type = "Scope"
                }
            )
        }
    )
}
Update-MgApplication -ApplicationId $APPObjectID -BodyParameter $params



Delegated Permissions have been addet


This Code replaces the Permissions

###############################################################################
#Add Permissions
###############################################################################
#Add Application Permission
#User.ReadBasic.All    Application    97235f07-e226-4f63-ace3-39588e11d3a1
$params = @{
    RequiredResourceAccess = @(
        @{
            ResourceAppId = "00000003-0000-0000-c000-000000000000"
            ResourceAccess = @(
                @{
                    Id = "97235f07-e226-4f63-ace3-39588e11d3a1"
                    Type = "Role"
                }
            )
        }
    )
}
Update-MgApplication -ApplicationId $APPObjectID -BodyParameter $params



Now we have Application Permissions. Note that the Admin Consent is not yet granted.


###############################################################################
#Redirect URI
#If you need to add Redirect URI's.
###############################################################################
#Redirect URI
$App = Get-MgApplication -ApplicationId $APPObjectID -Property *
$AppId = $App.AppId
$RedirectURI = @()
$RedirectURI += "https://login.microsoftonline.com/common/oauth2/nativeclient"
$RedirectURI += "msal" + $AppId + "://auth"
$RedirectURI += "https://localhost:3000"

$params = @{
    RedirectUris = @($RedirectURI)
}
Update-MgApplication -ApplicationId $APPObjectID -IsFallbackPublicClient -PublicClient $params



The Redirect URI's have now been addet


###############################################################################
#Grant Admin Consent - Opens URL in Browser
###############################################################################
#https://login.microsoftonline.com/{tenant-id}/adminconsent?client_id={client-id}
$App = Get-MgApplication | Where-Object {$_.DisplayName -eq "DemoApp"}
$TenantID = $App.PublisherDomain
$AppID = $App.AppID
$URL = "https://login.microsoftonline.com/$TenantID/adminconsent?client_id=$AppID"
Start-Process $URL





Log in with a "Global Administrator" Role


Grant Admin Consent


As you can see the Application has now Granted Admin consent.



###############################################################################
#Remove the Application
###############################################################################
Remove-MgApplication -ApplicationId $APPObjectID






Regards
Andres Bohren