Microsoft Graph is a RESTful web API that enables you to access Microsoft Cloud service resources. Many of my blog posts which talks about automation by using PowerShell Scripts will need an Azure AD Application registered and assigned with required permissions needed to accomplish the task.
In this post, I will talk about creating/registering one application in Azure AD and assigning few permissions which will be referenced in follow up posts.
I do not intend to dive deep into each and every aspect of Azure AD App registration as that is out of scope for the work I intend to publish in my blog. I will layout only the steps required at minimum to accomplish our automation goals.
Launch https://portal.azure.com and sign in as user who has permission to create and register an Azure AD Application.
Global Administrator role is preferred as it is required to grant consent once required permissions are assigned.
If you are not a Global Admin, after creating the app and assigning permissions, reach out to Global Admin and request them to grant consent.
- Navigate to Azure Active Directory and verify the tenant information if that is the tenant you need access to.
On left side menu, Click App registrations under Manage section. Click New Registration.
Give a meaningful name, choose the default option (Single Tenant) and click register.
Once created, open the Registered App and note down the Directory (tenant) ID and Application (client) ID. These values will be needed for the script.
As next step, navigate to Certificates and Secrets and create a New Client Secret. Give a meaningful name and choose expiry (up to 2 years) and click Add.
Once you click Add, you will see a success update notification on top right and Client Secret id and Value at bottom. Note the VALUE which will be required in our PowerShell Scripts.
It is VERY IMPORTANT to copy the Value details and store it securely as you will not be able to access the data once you navigate out of the registered application and come back again.
Next step is to assign required permissions. For our example, we will consider the permissions required to add/update/modify Autopilot device entries (hardware hashes) – DeviceManagementServiceConfig.ReadWrite.All
Navigate to API permissions and click Add a permission. Choose Microsoft Graph.
Choose Delegated or Application Permission. As detailed, Delegated permissions will work based on a user authentication and the user should have valid permissions to access the intended resource through means of Azure AD Roles.
The choice purely depends on Organizational security requirements. However, if you intend to run scripts unattended, Application permission is the choice you should make.
Also note not all API Endpoints support both type of permissions. You can get more information in API resource documentation page on what permissions they required and the type. One such example is given below.
If you are choosing any permissions under Delegated Permissions or If you ever planned to use this Azure AD Application with delegated permissions, below should be enabled.
Under Authentication, enable Allow public client flows as this is required for accessing the information through PowerShell.
Once the type is chosen, search for the required permission. Choose the permission and click Add Permission. Also note the Admin Consent required field.
Once added, you will notice the permission is listed and status is not granted (if admin consent required = yes). If you are Global Admin, click Grant Admin Consent option highlighted above (or) reach out to user with Global Administrator permission and ask the user to grant consent.
On granting admin consent and providing additional confirmation as shown below, the status will be changed to granted.
Now, you can use the Directory (tenant) ID and Application (client) ID obtained in step 5 and Client Secret value obtained in step 7 in the PowerShell Scripts.
Also, if you make any changes to API permissions for this application (add or remove), you need to reauthenticate to get new token which will have updated permission.