Yesterday I was challenged to register an Azure AD application for my API using Azure CLI. I know how to register Azure AD applications using Powershell and the AzureAD module. Since I switched from a Windows system to a MacBook Pro, I thought I could use Powershell Core to register my application. Unfortunately the AzureAD module is not available for Powershell Core. So I checked out the Azure CLI commands.
After having a first look at the Azure CLI documentation it seems to be very easy to register an application in Azure AD.
az ad app create --display-name myapi --identifier-uris http://myapiBut that alone was not enough for my case, because my API exposes some OAuth2 Permissions and I did not find any optional parameter to specify my API’s OAuth2 Permissions. That’s why I looked at the „az ad app update“ command and I noticed that you can set an application’s property by using the optional parameter „–set“.
In my case I created an additional json file that contains the definition of all OAuth2 Permissions that my API exposes.
[
{
"adminConsentDescription": "Allows the app to delete items of the signed-in user",
"adminConsentDisplayName": "Delete items",
"id": "85b8f1a0-0733-47dd-9af4-cb7221dbcb73",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "User",
"userConsentDescription": "Allows the app to delete your items",
"userConsentDisplayName": "Delete items",
"value": "Items.Delete"
},
{
"adminConsentDescription": "Allows the app to update items of the signed-in user",
"adminConsentDisplayName": "Update items",
"id": "5f9755ce-8e8a-42d9-bedf-040aceb274ea",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "User",
"userConsentDescription": "Allows the app to update your items",
"userConsentDisplayName": "Update items",
"value": "Items.Update"
},
{
"adminConsentDescription": "Allows the app to create items of the signed-in user",
"adminConsentDisplayName": "Create items",
"id": "d75ea03e-817a-4f3a-b7da-17090ba8f779",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "User",
"userConsentDescription": "Allows the app to create items",
"userConsentDisplayName": "Create items",
"value": "Items.Create"
},
{
"adminConsentDescription": "Allows the app to read items of the signed-in",
"adminConsentDisplayName": "Read items",
"id": "8411eda6-47de-4082-aed1-2568243ba679",
"isEnabled": true,
"lang": null,
"origin": "Application",
"type": "User",
"userConsentDescription": "Allows the app to read your items",
"userConsentDisplayName": "Read items",
"value": "Items.Read"
}
]To register my API I tried the following but I got an error from Azure AD.
API_APP=$(az ad app create --display-name myapi --identifier-uris https://myapi)
## use jq to get the appId
API_APP_ID=$(echo $API_APP | jq -r '.appId')
az ad app update --id $API_APP_ID --set oauth2Permissions=@oauth2-permissions.jsonAzure AD moans that an OAuth2 Permission already exists and that it must be disabled first in order to delete it. Apparently the application is created with a default permission. I ended up with the script as follow to create my API:
# create the API app
API_APP=$(az ad app create --display-name myapi --identifier-uris https://myapi)
# get the app id
API_APP_ID=$(echo $API_APP | jq -r '.appId')
# disable default exposed scope
DEFAULT_SCOPE=$(az ad app show --id $API_APP_ID | jq '.oauth2Permissions[0].isEnabled = false' | jq -r '.oauth2Permissions')
az ad app update --id $API_APP_ID --set oauth2Permissions="$DEFAULT_SCOPE"
# set needed scopes from file 'oath2-permissions'
az ad app update --id $API_APP_ID --set oauth2Permissions=@oauth2-permissions.json
# create a ServicePrincipal for the API
az ad sp create --id $API_APP_ID
Andreas Mock 