-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathnew-app-registration.ps1
96 lines (75 loc) · 3.24 KB
/
new-app-registration.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
[CmdletBinding()]
param
(
[Parameter(
Mandatory=$true,
HelpMessage="Specify the Azure AD app registration name. Example: test-authorization-flow-app")]
[System.String]
$AppRegistrationName,
[Parameter(
Mandatory=$true,
HelpMessage="Specify the Azure AD RBAC role names to use in the app manifest. For example: MyAppUsersRole and MyAppAdministratorsRole.")]
[System.String[]]
$RbacRoleNames,
[Parameter(Mandatory=$false)]
[System.String]
$AppHomePageUrl = "https://localhost:3000"
)
$ErrorActionPreference = "Stop"
$accounts = az account list
if ($accounts -contains "az login")
{
Write-Host "Logging into Azure for the Azure CLI tooling."
az login --allow-no-subscriptions
}
else
{
Write-Host "Already logged into Azure CLI tooling."
}
Write-Host "Checking to see if the Azure AD app registration ($AppRegistrationName) already exists."
$cliEmptyResult = "[]"
$appRegistration = az ad app list --display-name $AppRegistrationName
if ($appRegistration -eq $cliEmptyResult)
{
Write-Host "App registration doesn't exist. Creating it now."
# 'native-app' in this case means public client.
$newAppRegistrationResult = az ad app create `
--display-name $AppRegistrationName `
--available-to-other-tenants false `
--homepage $AppHomePageUrl `
--native-app false
Write-Host "Successfull created new app registration: $($appRegistration.appId)"
$appRegistration = ConvertFrom-Json -InputObject ($newAppRegistrationResult | Out-String)
# setting implicit flow to disabled on the new app request doesn't actually shut this off
# for the token. make a second call to update the app manifest just for this property.
Write-Host "Setting manifest property: oauth2AllowImplicitFlow=false"
$null = az ad app update --id $appRegistration.appId --set oauth2AllowImplicitFlow=false
Write-Host "Setting manifest property: oauth2AllowIdTokenImplicitFlow=false"
$null = az ad app update --id $appRegistration.appId --set oauth2AllowIdTokenImplicitFlow=false
$appIdUri = 'api://{0}' -f $appRegistration.appId
Write-Host "Setting App ID Uri: $appIdUri"
# note this also adds a default app scope: user_impersonation
$null = az ad app update --id $appRegistration.appId --identifier-uris $appIdUri
Write-Host "Adding RBAC roles to the application manifest."
$roleObjects = New-Object -TypeName 'System.Collections.Generic.List[PSCustomObject]'
foreach ($roleName in $RbacRoleNames)
{
$newRole = [PSCustomObject]@{
allowedMemberTypes = @("User")
description = $roleName
displayName = $roleName
isEnabled = "true"
value = $roleName
}
$roleObjects.Add($newRole)
}
$roleObjects | ConvertTo-Json | Out-File .\manifest-roles.json
$null = az ad app update --id $appRegistration.appId --app-roles @manifest-roles.json
Remove-Item -Path .\manifest-roles.json
Write-Host "App registration setup completed."
Write-Host "ACTION REQUIRED: In the Azure AD app registration, click on the Authentication page then add at least one redirect URI of type SPA"
}
else
{
Write-Host "App registration already exists. Creation will be skipped."
}