Managing Azure AD Applications with PowerShell. Do you need help automating and managing Azure AD applications with Windows PowerShell scripts? This article provides you with the PowerShell scripts to automate the provisioning of Azure AD apps.
A major part of Azure AD app management is creating new apps. So, we start off by demonstrating how to register a new WordPress app using PowerShell.
The final section demonstrates different ways of managing existing Azure AD applications using PowerShell. Specifically, we explore the PowerShell commands to list registered Azure AD apps, modifying or deleting them.
Before we get to these, let’s start by explaining why you need to register apps in Azure Active Directory.
Why Register Apps in Azure AD?
Azure Active Directory (Azure AD) is a robust cloud directory service that provides world-class authentication (sign-in access) and authorization (permission to resources). Apps registered with Azure AD take advantage of the directory authentication and authorization provided by this Microsoft tool.
Some benefits of registering apps with Azure AD are managing the app with Azure role-based access control (RBAC), and granting API permissions. However, one of the significant benefits to users is single sign-on.
When apps are registered in Azure, users sign in to the app with their Microsoft account – providing a unified experience.
In a previous article, we explained creating an Azure AD application.
In the referenced article, we explored 3 methods to register an application – via the Azure portal, PowerShell, and Azure CLI.
The remaining sections of this article focus on managing apps with PowerShell via Azure Cloud Shell.
Steps to Create Azure AD Application Registration with PowerShell in Azure Cloud Shell
As hinted earlier, we’ve another article that demonstrates how to register Azure AD apps using PowerShell and Azure CLI. If you prefer running AzureAD commands from your PC, follow the above link.
However, to create an Azure App by running PowerShell commands directly on the Azure Cloud Shell, continue reading.
Creating an Azure AD App registration is a three-step process.
Firstly, register the application. After that, the application must granted the necessary API permissions.
Finally, the app’s secret must be configured.
In the following subsections, I walk you through the steps to complete this process by registering a WordPress site in Azure Active Directory.
Before you begin, sign in to the Azure Cloud Shell via this link – shell.azure.com. After signing in, run the Connect-AzureAD command.
Step 1: Create New Azure AD App Registration
1. Run the New-AzureADApplication command to register a new Azure AD app. Replace the DisplayName and ReplyURLs with your app’s details.
New-AzureADApplication -DisplayName "InfraSOS.com WP App" -ReplyUrls "https://infrasos.com/wp-login/"
The ReplyUrls MUST include https. Otherwise, the command fails with errors. Once the command runs successfully, Azure Cloud Shell displays the app’s information.
Step 2: Set up Permissions for the Azure AD App
After creating a new app registration, you may need to grant API permissions. To demonstrate how this is done, I assign Microsoft Graph API delegate email, offline_access, openid, and profile permissions.
Here are the steps:
1. The first step is to retrieve the Service Principal for the Microsoft Graph API. I save this information in a variable.
$MSGraph = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }
2. Once you have the Service Principal of the App, retrieve the GUIDs of the permissions you want to delegate. In this example, I get the Microsoft Graph API delegated permissions that I want to grant – email, offline_access, openid, and profile.
$MSGraph.Oauth2Permissions | where-object {($_.Value -eq "email") -or ($_.Value -eq "offline_access") -or ($_.Value -eq "openid") -or ($_.Value -eq "profile")} | Format-Table ID, Value
The command returns an Id/Value pair hashtable. Note the Ids for the permissions you want to delegate, as you’ll require this later.
$app = Get-AzureADApplication -Filter "displayName eq 'InfraSOS.com WP App'"
$appId = $app.ObjectId
4. Then, create a Resource Access object and assign the App’s Service Principal to the resource.
$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Graph.ResourceAppId = $MSGraph.AppId
5. Using the Ids from 2 above, create a set of delegated permissions.
$profile_perm = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "14dad69e-099b-42c9-810b-d002981feec1","Scope"
$offline_access_perm = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "7427e0e9-2fba-42fe-b0c0-848c9e6a8182","Scope"
$openid_perm = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "37f7f235-527c-4136-accd-4a02d197296e","Scope"
$email_perm = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0","Scope"
$Graph.ResourceAccess = $profile_perm, $offline_access_perm, $openid_perm, $email_perm
6. Finally, assign the app the permissions by running the
Set-AzureADApplication -ObjectId $appId -RequiredResourceAccess $Graph -Oauth2AllowImplicitFlow $true
After running the above commands, the Azure App’s API permissions page displays the delegated permissions.
Step 3: Configure the App's Secret
1. The first step to setting up an Azure AD app’s secret is to set a start and end date for the app’s secret. In this example, I am making the start date to today’s date while I set the expiry to 180 days from today.
$startDate = Get-Date
$endDate = $startDate.AddDays(180)
2. After that, add the secret to the app using the New-AzureADApplicationPasswordCredential command.
New-AzureADApplicationPasswordCredential -ObjectId $appId -CustomKeyIdentifier "InfraSOS.com App Secreit" -StartDate $startDate -EndDate $endDate
To confirm that the above command created a client secret, open the app’s Certificates & secrets page.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Managing Azure AD Applications Registration with PowerShell
List Azure AD Apps with PowerShell
To list all Azure AD apps in the current subscription, run the Get-AzureADApplication command.
Get-AzureADApplication
Running this command without any parameter or filtering returns all apps with the default columns – ObjectId, AppId, and DisplayName.
Get-AzureADApplication -Filter "displayName eq 'InfraSOS.com WP App'"
Get-AzureADApplication -ObjectId "92e55fda-d8e4-47ec-a5c7-8e00459b26b6"
As seen in these examples, the default command returns just three properties. However, we return ALL properties of the apps by pipping Get-AzureADApplication to Select-Object – see the sample command below.
Get-AzureADApplication | Select-Object *
Unfortunately, the command returns the apps in a list. We fix this problem by piping the last command to Format-Table.
Get-AzureADApplication | Select-Object * | Format-Table
But as seen in this screenshot, this isn’t good either, as it still returns the default results – most of which are irrelevant.
Get-AzureADApplication | Select-Object DisplayName, ObjectId, AppId, ReplyUrls | Format-Table -AutoSize
The command returns a better result!
Modify An Azure AD Application Settings
Another essential Azure AD application registration management task is modifying settings with PowerShell. In this simple example, we change the name of the app we created earlier using the Set-AzureADApplication command.
Set-AzureADApplication -ObjectId "92e55fda-d8e4-47ec-a5c7-8e00459b26b6" -DisplayName "InfraSOS.com WP App (New name)"
Delete Azure AD Apps with PowerShell
Finally, Azure AD apps can be deleted if they’re no longer required. The easiest way to perform this task is to return the app with the Get-AzureADApplication command and pipe it to the Remove-AzureADApplication command.
The example command below deletes the app with the specified Id.
Set-AzureADApplication -ObjectId "92e55fda-d8e4-47ec-a5c7-8e00459b26b6" | Remove-AzureADApplication
You may want to remove multiple apps. The command below returns all apps that include the string “WordPress.”
Get-AzureADApplication -SearchString wordpress
$wpapps = Get-AzureADApplication -SearchString wordpress
ForEach ($wpapp in $wpapps) {$appObjectId = $wpapp.ObjectId; Remove-AzureADApplication -ObjectId $appObjectId}
Managing Azure AD Applications with PowerShell Conclusion
Registering your apps to Azure Active Directory provides some benefits, like granting API access and single-sign-on (SSO) to the app. Essentially, apps registered to Azure AD enjoy Azure authentication and authorization – allowing users to sign in to your app using their Microsoft account.
This article explained how to register an app in Azure AD using the New-AzureADApplication PowerShell command.
Additionally, we explained how to configure Azure AD app permissions and client secrets using PowerShell.
We also explored multiple ways to list registered apps with the Get-AzureADApplication cmdlet. Specifically, we discussed examples using the Filter and ObjectId parameters.
Finally, the article explained how to delete unwanted Azure AD apps by pipping the Get-AzureADApplication to Remove-AzureADApplication command, including a script for deleting multiple apps.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution
Related posts:
- How to Create Azure AD Application Registration (Step by Step)
- Get-AzureADGroup: PowerShell Group Reporting Filter Examples
- Connect-AzureAD – How to Connect to Azure AD using Powershell
- Get-MgUser – Find Azure AD Users and Filter using PowerShell Script
- New-MgGroupMemberByRef – Add Users to Azure AD Group using Powershell