private/Update-ServicePrincipal.ps1
|
function Update-ServicePrincipal { Param ([string]$AppId, [string[]]$Permissions, [bool]$silent) $MSI = ( Get-AzureADServicePrincipal -Filter "AppId eq '$appId'" ) if ( -not $MSI ) { $MSI = New-AzureADServicePrincipal -AppId $appId } $GraphAppId = "00000003-0000-0000-c000-000000000000" #Windows Azure Active Directory $GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'" foreach ( $permission in $permissions ) { $AppRole = $GraphServicePrincipal.AppRoles | Where-Object { $_.Value -eq $permission -and $_.AllowedMemberTypes -contains "Application" } try { New-AzureADServiceAppRoleAssignment ` -ObjectId $MSI.ObjectId ` -PrincipalId $MSI.ObjectId ` -ResourceId $GraphServicePrincipal.ObjectId ` -Id $AppRole.Id | Out-Null Write-Output " Granted $permission" } catch [Microsoft.Open.AzureAD16.Client.ApiException] { if ($_.Exception.ErrorContent.Message.Value -match "already exists") { if ( -not $silent ){ Write-Output " Permission $permission Already Granted" } } else { Cleanup-Environment -exitCode 1 } } } } |