AZURE AD APP REGISTRATION — CREATE APPLICATION USING MS GRAPH API AND POWERSHELL — PART 1

4 min readJan 6, 2022

Azure AD Application Registration — Create new registration

Hi everyone, this is my first article in medium and I will be writing about my most favorite topic of Azure AD. I have spent lot of time in learning about application registrations within Azure AD, a platform that offers the ability to create registrations for applications and assign permissions accordingly.

This article assumes you are familiar with the topic. App registration is very extensive and creating apps via portal can be really repetitive and tedious task. So I will be focusing how can we create app registrations programmatically it using MS Graph APIs via PowerShell.

I will be covering the following:

Pre-requisites
Create a master App registration and give API permission as “Application.ReadWrite.All”. This will be used to generate access token in step 3.
How to generate access token to call Microsoft Graph Rest API.
How to create Application Registration using MS Graph rest API via PowerShell.

Pre-requisites

An Azure account with an active subscription.
Azure AD role “Application Administration” that has permission to manage applications in Azure Active Directory (Azure AD). This is not needed for running the script and if you already have master app registration with API permission as “Application.ReadWrite.All”. Next section explains how to create the master app registration.
Azure AD tenant.
PowerShell Installed in your local to run the scripts.
Optionally, VS Code installed in your local computer (if you want to play around with scripts).

Create a master App registration

First step is to create a new App Registration in Azure Portal and assign the API permissions to the app as “Application.ReadWrite.All”. This application’s credentials will be used to authenticate to AZURE AD and generate access token to call MS Graph rest APIs.

To create one, Go to AZURE AD in Azure Portal, click on App registrations, click on New Registration. Enter a name, and click on Register (leaving everything else as default). I have created App Registration with display name as “AppRegAutomation”.

Once created, go to API permission, add Application.ReadWrite.All application permission.

Next step is to create client credentials for this app registration, under certificates & secrets:

Grab the secret value as in the above screen shot.

Also the client Id (Application Id) from the Overview link as below:

Also in Azure portal, Go to Azure AD and grab the tenant Id.

Generate Access Token

Finally, to generate token, I am using PowerShell script to invoke the OAuth token URL as below. Replace the values highlighted in bold with the values above.

$url = “https://login.microsoftonline.com/<your tenant Id>/oauth2/token”

$body = “grant_type=client_credentials&client_id=$clientId&client_secret=<your app registration secret>&resource=https://graph.microsoft.com"
$header = @{
“Content-Type” = ‘application/x-www-form-urlencoded’
}
$request = Invoke-WebRequest -Method ‘Post’ -Uri $url -Body $body -Header $header

This will generate the access token which will have permission to call MS Graph APIs for creating applications.

Create Application using Graph API

To create application, the below rest API call is invoked via PowerShell

$url = “https://graph.microsoft.com/v1.0/applications"
$header = @{
Authorization = “Bearer $token”
}
$postBody = @”
“displayName”: “$DisplayName”
}
“@
try
{
$appRegistration = Invoke-RestMethod -Method ‘POST’ -Uri $url -Body $postBody -ContentType ‘application/json’ -Headers $header
}

I have created a GitHub repository that has all the above scripts-CreateSimpleApplicationRegistration.ps1

My GitHub repository link is:

https://github.com/Pujago/ApplicationRegistrationUsingMSGraphAPIs-Public

How the script works?

CreateSimpleApplicationRegistration.ps1 will first authenticate to Azure AD (using script ConnectToAzureAD.ps1)
Then it will generate JWT token (using script GenerateToken.ps1). This is needed for using MS Graph Rest API URL.
Once authenticated, it will create the application.

Note: To run the script locally, you will still need to login using Connect-AzAccount using master app registration credentials. Or if you have application administrator role, you can login with your credentials. But the first option is preferred, if you want to automate to run the script.

Please follow the steps below to use the repository:

Go to the link: https://github.com/Pujago/ApplicationRegistrationUsingMSGraphAPIs-Public
Clone the repository.
Open the PowerShell terminal, go to the repository location, go to scripts folder.
Edit the GenerateToken.ps1 and update your credentials i.e. TenantId, client Id and secret.

Once done, run the following commands:

Connect to Azure account:

You can use this script code to connect using master app credentials:

$ServicePrincipalUser=”<Master app registration Client Id>”
$ServicePrincipalPW=”<Master app registration client secret>”
$passwd = ConvertTo-SecureString $ServicePrincipalPW -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential($ServicePrincipalUser, $passwd)
Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant “<Your tenant Id>”

Or if you have “Application Administrator” role, you can use command below to login in.

Connect-AzAccount -TenantId <Your tenant ID>

Run the script:

.\CreateSimpleApplicationRegistration.ps1 -appName “<Enter a display name you want to create>”

This is the first step to create basic application. I will be writing separate blogs to update various other properties of the application like creating app roles, creating scopes, creating password credentials, setting redirect Uris, setting reply URLs, creating service principal, setting API permissions, pre-authorizing applications.

I will be creating separate PowerShell scripts for updating each app registration property, as it keeps the code neat and simple and loosely coupled.

Happy reading.

Originally published at https://www.leogether.com.