I am creating a script to create a new app registration within Azure.

So far, all is working well, I can create the app, create the service principal, set a secret and add a redirect uri.

The issue I face is that I can create a delegation permission for the application using the below function:

$graph = "00000003-0000-0000-c000-000000000000"
$sharePoint = "00000003-0000-0ff1-ce00-000000000000"
$userRead = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"
$myFilesWrite = "2cfdc887-d7b4-4798-9b33-3d98d6b95dd2"
$allSitesWrite = "640ddd16-e5b7-4d71-9690-3f4022699ee7"

Function SetPermissions($resourceId, $argument)
{
    $rra = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
    $rra.ResourceAppId = $resourceId
    $rra.ResourceAccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList $argument ,"Scope"
    Set-AzureADApplication -ObjectId $myApp.ObjectId -RequiredResourceAccess $rra
}

SetPermissions $graph $userRead

but I will need three permissions for my app - when I call the function a second time it just overwrites the existing permission rather than adding a new one.

Any advice on how I can create multiple app permissions?

CodePudding user response：

I tried to reproduce the same in my environment and got below results.

When I ran the same code as you, User.Read permission is added to the application like below:

Now I changed the arguments and ran the code again as below:

$myApp = Get-AzureADApplication -SearchString MyApp
$graph = "00000003-0000-0000-c000-000000000000"
$sharePoint = "00000003-0000-0ff1-ce00-000000000000"
$userRead = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"
$myFilesWrite = "2cfdc887-d7b4-4798-9b33-3d98d6b95dd2"
$allSitesWrite = "640ddd16-e5b7-4d71-9690-3f4022699ee7"

Function SetPermissions($resourceId, $argument)
{
    $rra = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
    $rra.ResourceAppId = $resourceId
    $rra.ResourceAccess = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList $argument ,"Scope"
    Set-AzureADApplication -ObjectId $myApp.ObjectId -RequiredResourceAccess $rra
}

SetPermissions $sharePoint $allSitesWrite //Changed this

Response:

When I checked the same in Portal, existing permission removed, and new permission added like below:

To add multiple delegated permissions to Azure AD application from PowerShell, you can make use of below script:

$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Graph.ResourceAppId = "00000003-0000-0000-c000-000000000000"

$SharePoint = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$SharePoint.ResourceAppId = "00000003-0000-0ff1-ce00-000000000000"

$userRead = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d","Scope" 
$myFilesWrite = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "2cfdc887-d7b4-4798-9b33-3d98d6b95dd2","Scope"
$allSitesWrite = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "640ddd16-e5b7-4d71-9690-3f4022699ee7","Scope" 
 
$Graph.ResourceAccess = $userRead
$SharePoint.ResourceAccess = $myFilesWrite, $allSitesWrite
   
$myApp = Get-AzureADApplication -SearchString MyApp 
Set-AzureADApplication -ObjectId $myApp.ObjectId -RequiredResourceAccess $Graph, $SharePoint

Response:

When I checked the same in Portal, multiple delegated permissions added to the application successfully like below:

Reference:

How to assign Permissions to Azure AD App by using PowerShell by rajaniesh