
Reputation: 15

How to add Mail.Send permission when creating application with secret?

I'm trying to automate the process of creating an Azure AD application using Azure PowerShell. Specifically, I want to create an application, add a client secret, grant the Mail.Send permission, and generate a token, all within a single PowerShell script. However, I’m encountering a few challenges.

I was able to create the application successfully and add a client secret. However, I'm unsure how to add the Mail.Send Application permission to the application. I found the permission ID but don't know the correct command to implement it.

Once the permission is added, do I need to grant admin consent explicitly, or is that handled automatically? I want to ensure everything is set up correctly before generating the token.

Here’s the code I’m working with:


$appName = "MyTestingApp"
$app = New-AzADApplication -DisplayName $appName -IdentifierUris ""

$secret = New-AzADAppCredential -ApplicationId $app.ApplicationId -EndDate (Get-Date).AddYears(1)

$permissionId = "a0e0c2c0-6b4c-4c98-bcd8-15e7995d8f2b"  # Mail.Send permission ID

$tenantId = "xxxxxxx"
$clientId = $app.ApplicationId
$clientSecret = $secret.SecretText
$tokenUrl = "$tenantId/oauth2/v2.0/token"

$body = @{
    client_id     = $clientId
    client_secret = $clientSecret
    scope         = ""
    grant_type    = "client_credentials"

$response = Invoke-RestMethod -Method Post -Uri $tokenUrl -ContentType "application/x-www-form-urlencoded" -Body $body
$token = $response.access_token

Upvotes: 1

Views: 206

Answers (2)


Reputation: 22597

You can make use of below sample PowerShell script to add Mail.Send permission when creating application with secret and generate token:


$appName = "MyTestingApp"
$app = New-AzADApplication -DisplayName $appName

$secret = New-AzADAppCredential -ApplicationId $app.AppId -EndDate (Get-Date).AddYears(1)

Start-Sleep -Seconds 30

$graphApiId = '00000003-0000-0000-c000-000000000000'
$mailSendId = 'b633e1c5-b582-4048-a93e-9f11b44c7e96'

$graphSp = Get-AzADServicePrincipal -Filter "appId eq '$graphApiId'"

Add-AzADAppPermission -ObjectId $app.Id -ApiId $graphApiId -PermissionId $mailSendId -Type Role

$sp = New-AzADServicePrincipal -ApplicationId $app.AppId

New-AzADServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id -ResourceId $graphSp.Id -AppRoleId $mailSendId

Start-Sleep -Seconds 30

$tenantId = (Get-AzContext).Tenant.Id
$clientId = $app.AppId
$clientSecret = $secret.SecretText

$tokenUrl = "$tenantId/oauth2/v2.0/token"

$body = @{
    client_id     = $clientId
    client_secret = $clientSecret
    scope         = ""
    grant_type    = "client_credentials"

$response = Invoke-RestMethod -Method Post -Uri $tokenUrl -ContentType "application/x-www-form-urlencoded" -Body $body
$token = $response.access_token



enter image description here

To confirm that, I checked the same in Portal where new application with secret and permission added successfully with admin consent as below:

enter image description here

When I decoded the generated token in website, it has Mail.Send permission in roles claim like this:

enter image description here

Upvotes: 0

waheed khan
waheed khan

Reputation: 1

Connect to Azure Account


Create the Azure AD application

$appName = "MyTestingApp" $app = New-AzADApplication -DisplayName $appName -IdentifierUris ""

Add a client secret

$secret = New-AzADAppCredential -ApplicationId $app.ApplicationId -EndDate (Get-Date).AddYears(1)

Define the permission ID for Mail.Send

$permissionId = "a0e0c2c0-6b4c-4c98-bcd8-15e7995d8f2b" # Mail.Send permission ID

Add the Mail.Send permission to the application

$resourceId = "00000003-0000-0000-c000-000000000000

Upvotes: 0

Related Questions