BoyArmy_89
Reputation: 227
"Unary Operator Expected" error when deploying ps1 script using Azure Cloud Shell
I have a powershell script that creates an Azure App Registration and Service Principal and gives it permissions in a Management Group. A majority of it functions properly; the issue i'm having with the script is granting admin consent to the permissions granted to the application registration.
In the script below you'll notice i'll attempt by calling to the api via an az rest command but this returns a unary operator expected '--' . Has anyone had any luck with using the az cli in Azure Cloud Shell and programmatically granting admin consent on app registrations?
#!/usr/local/bin/pwsh
# This powershell script creates an app registration and assigns it the owner role to a management group
# Command used to run script ./test-appregistration.ps1 -ManagementGroupName <Management Group Name> -AppRegistrationName <App Name> -ReplyURL <Redirect URL>
# Input Variable(s)
param(
[Parameter(Mandatory = $true)]
[string] $ManagementGroupName,
[Parameter(Mandatory = $true)]
[string] $AppRegistrationName,
[Parameter(Mandatory = $true)]
[string] $ReplyURL
)
### Permission endpoints in the $permissions array variable
# UserRead = "06da0dbc-49e2-44d2-8312-53f166ab848a=Scope"
# DirectoryReadAll = "e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope"
# UserReadAll = "62a82d76-70ea-41e2-9197-370581804d09=Role"
# GroupsReadWriteAll = "df021288-bdef-4463-88db-98f22de89214=Role"
# Variables
$MSGraphId = "00000003-0000-0000-c000-000000000000"
$permissions = @("06da0dbc-49e2-44d2-8312-53f166ab848a=Scope", "e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope", "62a82d76-70ea-41e2-9197-370581804d09=Role", "df021288-bdef-4463-88db-98f22de89214=Role")
# Confirming AZ CLI is installed on localhost
Write-Host "Verifying AZ CLI is installed..."
$azcli = az version --query '\"azure-cli\"'
if ($null -eq $azcli) {
throw "Azure CLI not installed. Please install the Azure CLI and try again"
Write-Host "AZ CLI not installed; aborting script execution."
Exit
}
else {
Write-Host "Azure CLI version $azcli is installed on localhost; moving forward with script execution"
}
Start-Sleep -s 3
# Check if logged into Azure
$azContext = az account show --query '[environmentName,tenantId,user.name]' -o tsv 2>&1
if ($azContext -match "ERROR: Please run 'az login' to setup account.") {
Write-Host "Logging into Azure"
az login
}
else {
Write-Host "You are already logged in, your current context is $azContext"
}
#Create Client Secret
$pwArr = "!?@#$%^&*0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz".tochararray()
$Password = ($pwArr | Get-Random -Count 20) -Join ''
# App Registration Creation
$appId = az ad app create --display-name $AppRegistrationName --reply-urls $ReplyURL --password $Password --credential-description "CT Secret" --end-date '2299-12-12' --query "appId" -o tsv
Write-Host "App Registration $AppRegistrationName created with Client Id $appId"
Start-Sleep -s 10
# Create a Service Principal for the App Registration
$appSP = az ad sp create --id $appId --query "objectId" -o tsv
Write-Host "Service principal for App Registration $AppRegistrationName created with ID $appSP."
az role assignment create --role "User Access Administrator" --assignee-object-id $appSP
az ad app permission grant --id $appId --api $MSGraphId --debug
# Add API Permissions to App Registration
foreach ($permission in $permissions) {
az ad app permission add --id $appId --api $MSGraphId --api-permissions $permission
}
Write-Host "Microsoft Graph Permissions with Id $MSGraphId added to App Registration"
Start-Sleep -s 10
foreach($permission in $permissions){
az rest --method POST --uri https://graph.microsoft.com/beta/servicePrincipals/$MSGraphId/appRoleAssignments --header Content-Type=application/json --body '{
"principalId": $appSP,
"resourceId": $MSGraphId,
"appRoleId": $permissions
}'
}
# Retrieve Object Id from Service Principal
$spId = az ad sp show --id $appId --query "objectId" -o tsv
Write-Host "$AppRegistrationName Service Principal Object Id is $spId"
Start-Sleep -s 5
# Gets Management Group and assigns the Service Principal the Owner role on Management Group
az role assignment create --role "Owner" --assignee-object-id $spId --scope "/providers/Microsoft.Management/managementGroups/$ManagementGroupName"
Write-Host "$AppRegistrationName assigned Owner permissions to Management Group $ManagementGroupName"
Start-Sleep -s 5
# Gets Required Output from Script
Write-Output `n "Domain name(s) for Azure AD Tenant is/are $domain"
Write-Output `n "App Registration Client Id = $appId"
Write-Output `n "Client Secret of App Registration = $Password"
Upvotes: 0
Views: 271
Answers (1)
Jim Xu
Reputation: 23111
If you want to complete Azure AD admin consent with Azure CLI, you can use the command az ad app permission admin-consent. For more details, please refer to here.
For example
# Variables
$MSGraphId = "00000003-0000-0000-c000-000000000000"
$permissions = @("06da0dbc-49e2-44d2-8312-53f166ab848a=Scope", "e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope", "62a82d76-70ea-41e2-9197-370581804d09=Role", "df021288-bdef-4463-88db-98f22de89214=Role")
# Confirming AZ CLI is installed on localhost
Write-Host "Verifying AZ CLI is installed..."
$azcli = az version --query '\"azure-cli\"'
if ($null -eq $azcli) {
throw "Azure CLI not installed. Please install the Azure CLI and try again"
Write-Host "AZ CLI not installed; aborting script execution."
Exit
}
else {
Write-Host "Azure CLI version $azcli is installed on localhost; moving forward with script execution"
}
Start-Sleep -s 3
# Check if logged into Azure
$azContext = az account show --query '[environmentName,tenantId,user.name]' -o tsv 2>&1
if ($azContext -match "ERROR: Please run 'az login' to setup account.") {
Write-Host "Logging into Azure"
az login
}
else {
Write-Host "You are already logged in, your current context is $azContext"
}
#Create Client Secret
$pwArr = "!?@#$%^&*0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz".tochararray()
$Password = ($pwArr | Get-Random -Count 20) -Join ''
$AppRegistrationName="testapp458"
$ReplyURL="http://localhost"
# App Registration Creation
$appId = az ad app create --display-name $AppRegistrationName --reply-urls $ReplyURL --password $Password --credential-description "CT Secret" --end-date '2299-12-12' --query "appId" -o tsv
Write-Host "App Registration $AppRegistrationName created with Client Id $appId"
Start-Sleep -s 10
# Create a Service Principal for the App Registration
$appSP = az ad sp create --id $appId --query "objectId" -o tsv
Write-Host "Service principal for App Registration $AppRegistrationName created with ID $appSP."
az role assignment create --role "User Access Administrator" --assignee-object-id $appSP
az ad app permission grant --id $appId --api $MSGraphId
# Add API Permissions to App Registration
foreach ($permission in $permissions) {
az ad app permission add --id $appId --api $MSGraphId --api-permissions $permission
}
Write-Host "Microsoft Graph Permissions with Id $MSGraphId added to App Registration"
Start-Sleep -s 10
az ad app permission admin-consent --id $appId
Upvotes: 1
Related Questions
- Powershell script completes but exits with error code 1
- Powershell Script working fine in Visual Code but fails running from Terminal
- String was unexpected at this time
- How to deal with PowerShell not being able to find an import (AzureAd) while executing ascript from c#
- Azure Cloud Shell Trouble running ps1 Scripts
- Can't run ps script from code. Issue with ExecutionPolicy
- Powershell issue when executing .ps1 script
- Script error while using deploy.ps1 to deploy virtocommerce project
- Error While uploading to windows Azure using powershell Script
- Windows Azure automatic deployment. Problem with powershell script