Azure ad app - Updating manifest programmatically

R

3

7

I am trying to find a way to update an Azure Ad registered app's manifest via powershell, utilizing a json file.

The Json file contains all of the app roles, and i would like to simple inject the App Roles: [] right into the App Role Brackets

Is there a way to achieve this via power shell or CLI?

Radii answered 11/10, 2018 at 14:49 Comment(0)

L

4

Keep in mind that the "manifest", as displayed in the Azure AD portal, is nothing more than a lightly-constrained representation of the Application object, as exposed by the Azure AD Graph API: https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#application-entity

Azure AD PowerShell (the AzureAD module) is just a simple wrapper around the same API. New‑AzureADApplication does a POST on /applications, Get‑AzureADApplication does a GET, Set‑AzureADApplication does a PATCH, and Remove‑AzureADApplication does a DELETE.

So, keeping that in mind, consider the following input file app-roles.json:

[
    {
        "allowedMemberTypes": [ "Application" ],
        "description": "Read some things in the My App service",
        "displayName": "Read some things",
        "id": "b2b2e6de-bb42-41b4-92db-fda89218b5ae",
        "isEnabled": true,
        "value": "Things.Read.Some"
    },
    {
        "allowedMemberTypes": [ "User" ],
        "description": "Super admin role for My App",
        "displayName": "My App Super Admin",
        "id": "a01eca9b-0c55-411d-aa5f-d8cfdbadf500",
        "isEnabled": true,
        "value": "super_admin"
    }
]

You could use the following script to set those app roles on an app (note this will remove any existing app roles, which will cause an error is they weren't previously disabled):

$appId = "{app-id}"
$pathToAppRolesJson = "app-roles.json"

# Read all desired app roles from JSON file
$appRolesFromJson = Get-Content -Path $pathToAppRolesJson -Raw | ConvertFrom-Json

# Build a new list of Azure AD PowerShell AppRole objects
$appRolesForApp = @()
$appRolesFromJson | ForEach-Object {

    # Create new Azure AD PowerShell AppRole object for each app role
    $appRole = New-Object "Microsoft.Open.AzureAD.Model.AppRole"
    $appRole.AllowedMemberTypes = $_.allowedMemberTypes
    $appRole.Description = $_.description
    $appRole.DisplayName = $_.displayName
    $appRole.Id = $_.id
    $appRole.IsEnabled = $_.isEnabled
    $appRole.Value = $_.value

    # Add to the list of app roles
    $appRolesForApp += $appRole
}

# Update the Application object with the new list of app roles
$app = Get-AzureADApplication -Filter ("appId eq '{0}'" -f $appId)
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRolesForApp

Lissy answered 12/10, 2018 at 13:57 Comment(1)

For programmatic manifest control one can use the Azure CLI tools now, see az ad app update. – Cottonseed 15/8, 2019 at 14:7

V

8

Yes you can update the Azure AD Application's manifest through PowerShell.

Specifically to add App Roles, here's a PowerShell script.

In case you're trying to do this while creating a new application, just use New-AzureADApplication instead of Set-AzureADApplication.

Connect-AzureAD -TenantId <Tenant GUID>

# Create an application role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
{
    $appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
    $appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
    $appRole.AllowedMemberTypes.Add("User");
    $appRole.DisplayName = $Name
    $appRole.Id = New-Guid
    $appRole.IsEnabled = $true
    $appRole.Description = $Description
    $appRole.Value = $Name;
    return $appRole
}

# ObjectId for application from App Registrations in your AzureAD
$appObjectId = "<Your Application Object Id>"
$app = Get-AzureADApplication -ObjectId $appObjectId
$appRoles = $app.AppRoles
Write-Host "App Roles before addition of new role.."
Write-Host $appRoles

$newRole = CreateAppRole -Name "MyNewApplicationRole" -Description "This is my new Application Role"
$appRoles.Add($newRole)

Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles

Vigilant answered 11/10, 2018 at 16:31 Comment(2)

Thank you. I had seen this, but was trying to do more of an insert of information, via a json file, that contains the app roles as they would appear in the manifest. Just dumping the raw json, into the App Roles: [] brackets – Radii 11/10, 2018 at 18:36

You would just need to read the JSON, parse it, construct the Azure AD PowerShell AppRole objects just like Rohit describes here, and set the AppRoles attribute. – Lissy 12/10, 2018 at 14:3

L

4

Keep in mind that the "manifest", as displayed in the Azure AD portal, is nothing more than a lightly-constrained representation of the Application object, as exposed by the Azure AD Graph API: https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#application-entity

Azure AD PowerShell (the AzureAD module) is just a simple wrapper around the same API. New‑AzureADApplication does a POST on /applications, Get‑AzureADApplication does a GET, Set‑AzureADApplication does a PATCH, and Remove‑AzureADApplication does a DELETE.

So, keeping that in mind, consider the following input file app-roles.json:

[
    {
        "allowedMemberTypes": [ "Application" ],
        "description": "Read some things in the My App service",
        "displayName": "Read some things",
        "id": "b2b2e6de-bb42-41b4-92db-fda89218b5ae",
        "isEnabled": true,
        "value": "Things.Read.Some"
    },
    {
        "allowedMemberTypes": [ "User" ],
        "description": "Super admin role for My App",
        "displayName": "My App Super Admin",
        "id": "a01eca9b-0c55-411d-aa5f-d8cfdbadf500",
        "isEnabled": true,
        "value": "super_admin"
    }
]

You could use the following script to set those app roles on an app (note this will remove any existing app roles, which will cause an error is they weren't previously disabled):

$appId = "{app-id}"
$pathToAppRolesJson = "app-roles.json"

# Read all desired app roles from JSON file
$appRolesFromJson = Get-Content -Path $pathToAppRolesJson -Raw | ConvertFrom-Json

# Build a new list of Azure AD PowerShell AppRole objects
$appRolesForApp = @()
$appRolesFromJson | ForEach-Object {

    # Create new Azure AD PowerShell AppRole object for each app role
    $appRole = New-Object "Microsoft.Open.AzureAD.Model.AppRole"
    $appRole.AllowedMemberTypes = $_.allowedMemberTypes
    $appRole.Description = $_.description
    $appRole.DisplayName = $_.displayName
    $appRole.Id = $_.id
    $appRole.IsEnabled = $_.isEnabled
    $appRole.Value = $_.value

    # Add to the list of app roles
    $appRolesForApp += $appRole
}

# Update the Application object with the new list of app roles
$app = Get-AzureADApplication -Filter ("appId eq '{0}'" -f $appId)
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRolesForApp

Lissy answered 12/10, 2018 at 13:57 Comment(1)

For programmatic manifest control one can use the Azure CLI tools now, see az ad app update. – Cottonseed 15/8, 2019 at 14:7

J

1

Azure Client command

az ad app update --id e042ec79-34cd-498f-9d9f-123456781234 --app-roles @manifest.json

manifest.json

[{
    "allowedMemberTypes": [
      "User"
    ],
    "description": "Approvers can mark documents as approved",
    "displayName": "Approver",
    "isEnabled": "true",
    "value": "approver"
}]

More info ine the documentation of azure cli

Jael answered 16/9, 2019 at 8:13 Comment(0)

Recommended topics

Hot tags