skip to Main Content

I’m trying to automate the process of creating an Azure AD application using Azure PowerShell. Specifically, I want to create an application, add a client secret, grant the Mail.Send permission, and generate a token, all within a single PowerShell script. However, I’m encountering a few challenges.

I was able to create the application successfully and add a client secret. However, I’m unsure how to add the Mail.Send Application permission to the application. I found the permission ID but don’t know the correct command to implement it.

Once the permission is added, do I need to grant admin consent explicitly, or is that handled automatically? I want to ensure everything is set up correctly before generating the token.

Here’s the code I’m working with:

Connect-AzAccount

$appName = "MyTestingApp"
$app = New-AzADApplication -DisplayName $appName -IdentifierUris "https://myapp.com"

$secret = New-AzADAppCredential -ApplicationId $app.ApplicationId -EndDate (Get-Date).AddYears(1)

$permissionId = "a0e0c2c0-6b4c-4c98-bcd8-15e7995d8f2b"  # Mail.Send permission ID

$tenantId = "xxxxxxx"
$clientId = $app.ApplicationId
$clientSecret = $secret.SecretText
$tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"

$body = @{
    client_id     = $clientId
    client_secret = $clientSecret
    scope         = "https://graph.microsoft.com/.default"
    grant_type    = "client_credentials"
}

$response = Invoke-RestMethod -Method Post -Uri $tokenUrl -ContentType "application/x-www-form-urlencoded" -Body $body
$token = $response.access_token

2

Answers


  1. Connect to Azure Account

    Connect-AzAccount

    Create the Azure AD application

    $appName = "MyTestingApp"
    $app = New-AzADApplication -DisplayName $appName -IdentifierUris "https://myapp.com"

    Add a client secret

    $secret = New-AzADAppCredential -ApplicationId $app.ApplicationId -EndDate (Get-Date).AddYears(1)

    Define the permission ID for Mail.Send

    $permissionId = "a0e0c2c0-6b4c-4c98-bcd8-15e7995d8f2b" # Mail.Send permission ID

    Add the Mail.Send permission to the application

    $resourceId = "00000003-0000-0000-c000-000000000000

    Login or Signup to reply.
  2. You can make use of below sample PowerShell script to add Mail.Send permission when creating application with secret and generate token:

    Connect-AzAccount
    
    $appName = "MyTestingApp"
    $app = New-AzADApplication -DisplayName $appName
    
    $secret = New-AzADAppCredential -ApplicationId $app.AppId -EndDate (Get-Date).AddYears(1)
    
    Start-Sleep -Seconds 30
    
    $graphApiId = '00000003-0000-0000-c000-000000000000'
    $mailSendId = 'b633e1c5-b582-4048-a93e-9f11b44c7e96'
    
    $graphSp = Get-AzADServicePrincipal -Filter "appId eq '$graphApiId'"
    
    Add-AzADAppPermission -ObjectId $app.Id -ApiId $graphApiId -PermissionId $mailSendId -Type Role
    
    $sp = New-AzADServicePrincipal -ApplicationId $app.AppId
    
    New-AzADServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id -ResourceId $graphSp.Id -AppRoleId $mailSendId
    
    Start-Sleep -Seconds 30
    
    $tenantId = (Get-AzContext).Tenant.Id
    $clientId = $app.AppId
    $clientSecret = $secret.SecretText
    
    $tokenUrl = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
    
    $body = @{
        client_id     = $clientId
        client_secret = $clientSecret
        scope         = "https://graph.microsoft.com/.default"
        grant_type    = "client_credentials"
    }
    
    $response = Invoke-RestMethod -Method Post -Uri $tokenUrl -ContentType "application/x-www-form-urlencoded" -Body $body
    $token = $response.access_token
    
    $token
    

    Response:

    enter image description here

    To confirm that, I checked the same in Portal where new application with secret and permission added successfully with admin consent as below:

    enter image description here

    When I decoded the generated token in jwt.ms website, it has Mail.Send permission in roles claim like this:

    enter image description here

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search