Az.MsiGraphPermissions

1.0.0.1

Public/Add-GraphPermissionToMsi.ps1

                                function Add-GraphPermissionToMsi {

    [cmdletbinding()]

    param (

        [parameter(Mandatory = $true)]

        [string]$ApplicationName,

        [parameter(Mandatory = $true)]

        [string[]]$GraphApiPermission,

        [parameter(mandatory = $true)]

        [string]$Token

    )

    $baseUri = 'https://graph.microsoft.com/v1.0/servicePrincipals'

    $graphAppId = '00000003-0000-0000-c000-000000000000'

    $spSearchFiler = '"displayName:{0}" OR "appId:{1}"' -f $ApplicationName, $graphAppId

    try {

        $msiParams = @{

            Method  = 'Get'

            Uri     = '{0}?$search={1}' -f $baseUri, $spSearchFiler

            Headers = @{Authorization = "Bearer $Token"; ConsistencyLevel = "eventual" }

        }

        $spList = (Invoke-RestMethod @msiParams).Value

        $msiId = ($spList | Where-Object { $_.displayName -eq $applicationName }).Id

        $graphId = ($spList | Where-Object { $_.appId -eq $graphAppId }).Id

        $msiItemParams = @{

            Method  = 'Get'

            Uri     = "$($baseUri)/$($msiId)?`$expand=appRoleAssignments"

            Headers = @{Authorization = "Bearer $Token"; ConsistencyLevel = "eventual" }

        }

        $msiItem = Invoke-RestMethod @msiItemParams

        $graphParams = @{

            Method  = 'Get'

            Uri     = "$baseUri/$($graphId)/appRoles"

            Headers = @{Authorization = "Bearer $Token"; ConsistencyLevel = "eventual" }

        }

        $graphPermissions = (Invoke-RestMethod @graphParams).Value | 

        Where-Object { $_.value -in $GraphApiPermission -and $_.allowedMemberTypes -Contains "Application" } |

        Select-Object allowedMemberTypes, id, value

        foreach ($item in $graphPermissions) {

            if ($item.id -notIn $msiItem.appRoleAssignments.appRoleId) {

                Write-Host "Adding role ($($item.value)) to identity: $($applicationName).." -ForegroundColor Green

                $postBody = @{

                    "principalId" = $msiId

                    "resourceId"  = $graphId

                    "appRoleId"   = $item.id

                }

                $postParams = @{

                    Method      = 'Post'

                    Uri         = "$baseUri/$graphId/appRoleAssignedTo"

                    Body        = $postBody | ConvertTo-Json

                    Headers     = $msiParams.Headers

                    ContentType = 'Application/Json'

                }

                $result = Invoke-RestMethod @postParams

                if ( $PSBoundParameters['Verbose'] -or $VerbosePreference -eq 'Continue' ) {

                    $result

                }

            }

            else {

                Write-Host "role ($($item.value)) already found in $($applicationName).." -ForegroundColor Yellow

            }

        }

    }

    catch {

        Write-Warning $_.Exception.Message

    }

}