Posh365

0.9.152

Public/Graph/Import-GraphAPIPermissions.ps1

                                function Import-GraphAPIPermissions {

    param (

        [Parameter()]

        [mailaddress]

        $Owner,

        [Parameter()]

        [string]

        [ValidateScript( { Test-Path $_ })]

        $XMLPath,

        [Parameter(Mandatory)]

        [ValidateSet('None', 1, 2)]

        $SecretDuration,

        [Parameter()]

        [string]

        $Name,

        [Parameter()]

        [switch]

        $OpenConsentInBrowser

    )

    $AppOwner = Get-AzureADUser -ObjectId $Owner -ErrorAction SilentlyContinue

    if (-not ($AppOwner)) {

        Write-Host "Owner $Owner, not found. Halting script" -ForegroundColor Red

        continue

    }

    $ExistingApp = Get-AzureADApplication -filter "DisplayName eq '$Name'"

    if ($ExistingApp) {

        Write-Host "Azure AD Application Name: $Name already exists" -ForegroundColor Red

        Write-Host "Choose a name with the -Name parameter" -ForegroundColor Cyan

        continue

    }

    $Leaf = Get-Item -path $XMLPath

    if (-not $Name) { $Name = $Leaf.BaseName }

    $TargetApp = New-AzureADApplication -DisplayName $Name -ReplyUrls 'https://portal.azure.com/'

    $Hash = Import-Clixml $XMLPath

    $RequiredObject = [Microsoft.Open.AzureAD.Model.RequiredResourceAccess]::new()

    $AccessObject = [System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]]::new()

    $ResourceList = $Hash['ResourceList']

    foreach ($Resource in $ResourceList) {

        $AccessObject.Add([Microsoft.Open.AzureAD.Model.ResourceAccess]@{

                Id   = $Resource.Id

                Type = $Resource.Type

            })

    }

    $ServicePrincipal = Get-AzureADServicePrincipal -filter ("DisplayName eq '{0}'" -f $Hash['ServicePrincipalName'])

    $RequiredObject.ResourceAppId = $ServicePrincipal.AppId

    $RequiredObject.ResourceAccess = $AccessObject

    Set-AzureADApplication -ObjectId $TargetApp.ObjectId -RequiredResourceAccess $RequiredObject

    Add-AzureADApplicationOwner -ObjectId $TargetApp.ObjectId -RefObjectId $AppOwner.ObjectId

    if ($SecretDuration -ne 'None') {

        $Date = Get-Date

        $Params = @{

            ObjectId            = $TargetApp.ObjectId

            EndDate             = $Date.AddYears($SecretDuration)

            CustomKeyIdentifier = "{0}-{1}" -f $TargetApp.Displayname, $Date.ToString("yyyyMMddTHHmm")

        }

        New-AzureADApplicationPasswordCredential @Params

    }

    $Tenant = Get-AzureADTenantDetail

    Write-Host "Grant Admin Consent by logging in as $Owner here:" -ForegroundColor Cyan

    $ConsentURL = 'https://login.microsoftonline.com/{0}/v2.0/adminconsent?client_id={1}&state=12345&redirect_uri={2}&scope={3}&prompt=admin_consent' -f @(

        $Tenant.ObjectID, $TargetApp.AppId, 'https://portal.azure.com/', 'https://graph.microsoft.com/.default')

    Write-Host $ConsentURL -ForegroundColor White

    if ($OpenConsentInBrowser) { Start $ConsentURL }

}