CODEWITHSUNDEEP
azurepowershellazure-active-directoryazure-powershell
s-a-n
s-a-n

Reputation: 787

Azure AD App Registration for Multi tenant and Personal accounts using powershell

Is there anyway to achieve creating Azure AD App Registration for Multi tenant and Personal accounts using powershell. Nothing in this document helps me do that https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureadapplication?view=azureadps-2.0

Upvotes: 1

Views: 1505

Answers (2)

Joy Wang
Joy Wang

Reputation: 42043

Yes, as mentioned by Allen, AD App type property is managed by -SignInAudience parameter, but when you use New-AzureADApplication with -SignInAudience, it will give an error Property 'signInAudience' is read-only and cannot be set, as New-AzureADApplication essentially calls the old Azure AD Graph.

To solve the issue, you could call the Microsoft Graph - Create application manually in powershell as mentioned by Allen, you could also this new command New-AzureADMSApplication , it calls the Microsoft Graph directly.

Make sure your AzureAD powershell module is not too old, then use the command below.

New-AzureADMSApplication -DisplayName "joytest678" -SignInAudience "AzureADandPersonalMicrosoftAccount"

enter image description here

Check in the portal:

enter image description here

Upvotes: 3

Allen Wu
Allen Wu

Reputation: 16438

The AAD app type property should be -SignInAudience. But it's read-only in AAD PowerShell.

So the workaround is to call Microsoft Graph to modify this property.

A sample for your reference (Modify {client_id}, {client_secret} and {tenant_id} to yours, and give Application.ReadWrite.All application permission to your app registration as per Update application permissions):

Connect-AzureAD

$App = New-AzureADApplication -DisplayName "PSMultiApp02"

$boundary = [System.Guid]::NewGuid().ToString(); 
$LF = "`r`n";

$bodyLines = ( 
    "--$boundary",
    "Content-Disposition: form-data; name=`"grant_type`"$LF",
    "client_credentials$LF",
    "--$boundary",
    "Content-Disposition: form-data; name=`"client_id`"$LF",
    "{client_id}$LF",
    "--$boundary",
    "Content-Disposition: form-data; name=`"scope`"$LF",
    "https://graph.microsoft.com/.default$LF",
    "--$boundary",
    "Content-Disposition: form-data; name=`"client_secret`"$LF",
    "{client_secret}$LF",
    "--$boundary--$LF" 
) -join $LF

$AuthTokenRequestHeaders = @{
    "Cache-Control" = "no-cache"
}

$AuthTokenResponse = Invoke-RestMethod 'https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token' -Method 'POST' -ContentType "multipart/form-data; boundary=`"$boundary`"" -Body $bodyLines -Headers $AuthTokenRequestHeaders

$authToken = $AuthTokenResponse.access_token

$headers = @{ }
$headers.Add("Content-Type", "application/json")
$headers.Add("Authorization", "Bearer $($authToken)")

$postData = "{
    `"signInAudience`":`"AzureADandPersonalMicrosoftAccount`",
    `"api`":{`"requestedAccessTokenVersion`": 2}
}";

$requestURI = "https://graph.microsoft.com/v1.0/applications/$($App.ObjectId)"

$Result = Invoke-RestMethod -Uri $requestURI -Method PATCH -Headers $headers -Body $postData

Upvotes: 1

Related Questions