Service Principal permissions replace each other instead of getting added together in powershell, part 2

I have 2 functions in Powershell to add separate permissions to my service principal in Azure AD. Here’s the first:

function Add-Permissions {
    
    param(
        $App
    )
    
    $SPforApp = New-AzureADServicePrincipal -AppId $App.AppId -PasswordCredentials @($PasswordCredential)

    $targetServicePrincipalName="Microsoft Graph"
    $targetSp = Get-AzureADServicePrincipal -Filter "DisplayName eq '$($TargetServicePrincipalName)'"

    $appPermissionsRequired = @('User.Read.All','Group.Read.All','GroupMember.Read.All',`
    'GroupMember.ReadWrite.All','Directory.Read.All','AuditLog.Read.All')

    $RoleAssignments = @()

    Foreach ($AppPermission in $appPermissionsRequired) {
    $RoleAssignment = $targetSp.AppRoles | Where-Object { $_.Value -eq $AppPermission}
    $RoleAssignments += $RoleAssignment
    }

    $ResourceAccessObjects = New-Object 'System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]'

    foreach ($RoleAssignment in $RoleAssignments) {
    $resourceAccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess"
    $resourceAccess.Id = $RoleAssignment.Id
    $resourceAccess.Type="Role"
    $ResourceAccessObjects.Add($resourceAccess)
    }
    
    $requiredResourceAccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
    $requiredResourceAccess.ResourceAppId = $targetSp.AppId
    $requiredResourceAccess.ResourceAccess = $ResourceAccessObjects

    # set the required resource access
    Set-AzureADApplication -ObjectId $App.ObjectId -RequiredResourceAccess $requiredResourceAccess
    Start-Sleep -s 1

    # grant the required resource access
    foreach ($RoleAssignment in $RoleAssignments) {
    Write-Output -InputObject ('Granting admin consent for App Role: {0}' -f $($RoleAssignment.Value))
    New-AzureADServiceAppRoleAssignment -ObjectId $SPforApp.ObjectId -Id $RoleAssignment.Id -PrincipalId $SPforApp.ObjectId -ResourceId $targetSp.ObjectId
    Start-Sleep -s 1
    }

    Write-Output "Permissions Added"

    return $App
}

And here’s the second:

function Add-Two-Permissions {
    
    param(
        $App
    )

    $MgAPI = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Windows Azure Service Management API" }
    $GraphAPI = Get-AzureADServicePrincipal -All $true | Where-Object { $_.DisplayName -eq "Microsoft Graph" }

    $AzureMg = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
    $AzureMg.ResourceAppId = $MgAPI.AppId
 
    $Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
    $Graph.ResourceAppId = $GraphAPI.AppId

    $delPermission1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "41094075-9dad-400e-a0bd-54e686782033","Scope" 
    $delPermission2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "7427e0e9-2fba-42fe-b0c0-848c9e6a8182","Scope" 

    $AzureMg.ResourceAccess = $delPermission1 
    $Graph.ResourceAccess = $delPermission2
 
    Set-AzureADApplication -ObjectId $App.ObjectID -RequiredResourceAccess $AzureMg, $Graph

    Write-Output "Two Permissions Added"

    return $App
}

These two functions are replacing each other instead of adding together. I’m looking to have them add the permissions together. It would be mainly taking the permissions:

$appPermissionsRequired = @('User.Read.All','Group.Read.All','GroupMember.Read.All',`
    'GroupMember.ReadWrite.All','Directory.Read.All','AuditLog.Read.All')

and adding them to the second function.

Does anyone know how to fix this?

Leave a Comment