TechQA.

Service Principal permissions replace each other instead of getting added together in powershell

89 views Asked by At

I have 2 functions in Powershell to add 2 separate permissions to my service principal in Azure AD.

Here's the first:

function Add-User-Impersonation {
    
    param(
        $App
    )

    $AzureManagementAPI = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "41094075-9dad-400e-a0bd-54e686782033","Scope"

    $RequiredAccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
    $RequiredAccess.ResourceAppId = "797f4846-ba00-4fd7-ba43-dac1f8f63013"
    $RequiredAccess.ResourceAccess = $AzureManagementAPI

    Set-AzureADApplication -ObjectId $App.ObjectId -RequiredResourceAccess @($RequiredAccess)


    Write-Output "User-Impersonation Added"

    return $App
}

And Here's the second:

function Add-Offline-Access {
    
    param(
        $App
    )

    $myappId = $App.ObjectId
    $MSGraph = Get-AzureADServicePrincipal -All $true | Where-Object { $_.DisplayName -eq "Microsoft Graph" }

    # Retrieve the ID of the 'offline_access' permission from Microsoft Graph
    $offlineAccessPermission = $MSGraph.Oauth2Permissions | Where-Object { $_.Value -eq 'offline_access' }
    $Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
    $Graph.ResourceAppId = $MSGraph.AppId
    $Per1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList $offlineAccessPermission.Id,"Scope"
    $Graph.ResourceAccess = $Per1
    Set-AzureADApplication -ObjectId $myappId -RequiredResourceAccess $Graph

    Write-Output "Offline-Access Added"

    return $App
}

Azure Portal 1

Azure Portal 2

See my Azure Portal when I run each function. When I run Add-Offline-Access, it will add the "offline-access" permission under Microsoft Graph. Then, when I run Add-User-Impersonation, it will replace the "offline-access" permission with the "User Impersonation" permission under Azure Service Management. I would like to have both permissions at the same time.

Does anyone know why this bug is happening?

azure powershell azure-active-directory
Original Q&A
1

There are 1 answers

1
Rukmini On BEST ANSWER

Note that: Set-AzureADApplication replaces the complete RequiredResourceAccess property of the application with the new value provided in each function.

To add two separate permissions (Microsoft Graph and Windows Azure Service Management API) make use of below PowerShell script:

$MgAPI = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Windows Azure Service Management API" }
$GraphAPI = Get-AzureADServicePrincipal -All $true | Where-Object { $_.DisplayName -eq "Microsoft Graph" }

$AzureMg = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$AzureMg.ResourceAppId = $MgAPI.AppId
 
$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Graph.ResourceAppId = $GraphAPI.AppId

$delPermission1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "41094075-9dad-400e-a0bd-54e686782033","Scope" 
$delPermission2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "7427e0e9-2fba-42fe-b0c0-848c9e6a8182","Scope" 

$AzureMg.ResourceAccess = $delPermission1 
$Graph.ResourceAccess = $delPermission2

$ObjectID = "dcac094f-f07c-4f81-946e-7f60a3b7003e"
$AADApplication = Get-AzureADApplication -ObjectId $ObjectID
 
Set-AzureADApplication -ObjectId $ObjectID -RequiredResourceAccess $AzureMg, $Graph

Azure Service Management and Microsoft Graph API permissions added to the application successfully:

enter image description here

Related Questions in AZURE

Related Questions in POWERSHELL

Related Questions in AZURE-ACTIVE-DIRECTORY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions