I have 2 functions in Powershell to add separate permissions to my service principal in Azure AD. Here’s the first:
function Add-Permissions {
param(
$App
)
$SPforApp = New-AzureADServicePrincipal -AppId $App.AppId -PasswordCredentials @($PasswordCredential)
$targetServicePrincipalName="Microsoft Graph"
$targetSp = Get-AzureADServicePrincipal -Filter "DisplayName eq '$($TargetServicePrincipalName)'"
$appPermissionsRequired = @('User.Read.All','Group.Read.All','GroupMember.Read.All',`
'GroupMember.ReadWrite.All','Directory.Read.All','AuditLog.Read.All')
$RoleAssignments = @()
Foreach ($AppPermission in $appPermissionsRequired) {
$RoleAssignment = $targetSp.AppRoles | Where-Object { $_.Value -eq $AppPermission}
$RoleAssignments += $RoleAssignment
}
$ResourceAccessObjects = New-Object 'System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]'
foreach ($RoleAssignment in $RoleAssignments) {
$resourceAccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess"
$resourceAccess.Id = $RoleAssignment.Id
$resourceAccess.Type="Role"
$ResourceAccessObjects.Add($resourceAccess)
}
$requiredResourceAccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$requiredResourceAccess.ResourceAppId = $targetSp.AppId
$requiredResourceAccess.ResourceAccess = $ResourceAccessObjects
# set the required resource access
Set-AzureADApplication -ObjectId $App.ObjectId -RequiredResourceAccess $requiredResourceAccess
Start-Sleep -s 1
# grant the required resource access
foreach ($RoleAssignment in $RoleAssignments) {
Write-Output -InputObject ('Granting admin consent for App Role: {0}' -f $($RoleAssignment.Value))
New-AzureADServiceAppRoleAssignment -ObjectId $SPforApp.ObjectId -Id $RoleAssignment.Id -PrincipalId $SPforApp.ObjectId -ResourceId $targetSp.ObjectId
Start-Sleep -s 1
}
Write-Output "Permissions Added"
return $App
}
And here’s the second:
function Add-Two-Permissions {
param(
$App
)
$MgAPI = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Windows Azure Service Management API" }
$GraphAPI = Get-AzureADServicePrincipal -All $true | Where-Object { $_.DisplayName -eq "Microsoft Graph" }
$AzureMg = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$AzureMg.ResourceAppId = $MgAPI.AppId
$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Graph.ResourceAppId = $GraphAPI.AppId
$delPermission1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "41094075-9dad-400e-a0bd-54e686782033","Scope"
$delPermission2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "7427e0e9-2fba-42fe-b0c0-848c9e6a8182","Scope"
$AzureMg.ResourceAccess = $delPermission1
$Graph.ResourceAccess = $delPermission2
Set-AzureADApplication -ObjectId $App.ObjectID -RequiredResourceAccess $AzureMg, $Graph
Write-Output "Two Permissions Added"
return $App
}
These two functions are replacing each other instead of adding together. I’m looking to have them add the permissions together. It would be mainly taking the permissions:
$appPermissionsRequired = @('User.Read.All','Group.Read.All','GroupMember.Read.All',`
'GroupMember.ReadWrite.All','Directory.Read.All','AuditLog.Read.All')
and adding them to the second function.
Does anyone know how to fix this?