Grant acces to Azure AD

This page will guide through the steps to grant AzureCP access to your Azure AD tenant, by creating an app registration.

Permissions required

AzureCP requires permissions GroupMember.Read.All and User.Read.All of type application (not delegated):

Image
At the end of the configuration, the permissions should be exactly like this.

Create the app registration

You can register the application using either:

Create the app registration using the Azure portal

  1. Sign-in to your Azure Active Directory tenant.
  2. Go to “App Registrations” > “New registration” > Type the following information:
    • Name: AzureCP
    • Supported account types: “Accounts in this organizational directory only (Single tenant)”
  3. Click on “Register”
  4. Click on “API permissions”
    • Remove the default permission.
    • Add a permission > Select “Microsoft Graph” > “Application permissions”. Select GroupMember.Read.All and User.Read.All.
    • Click on “Grant admin consent for TenantName” > Yes
  5. Click on “Certificates & secrets”: AzureCP supports both a certificate and a secret, choose either option depending on your needs.

Create the app registration using m365 cli

M365 cli is very simple: It takes only 1 command to create the application, create a secret and set the permissions.
However, with the current version (v5.1.0 at the time of this writing), the admin consent needs to be granted manually.

  1. Create the application:

    m365 login
    # m365 aad app add will return all the information that AzureCP needs to connect.
    m365 aad app add --name "AzureCP" --withSecret --apisApplication 'https://graph.microsoft.com/User.Read.All,https://graph.microsoft.com/GroupMember.Read.All'
    
  2. Grant the admin consent to the app registration through the admin portal (see the steps in the creation through the Azure portal above)

Create the app registration using az cli

This bash script creates the application, adds a secret, sets the permissions and grants the admin consent.
It can be used in Azure cloud shell or in a local shell:

# Sign-in to Azure AD tenant. Use --allow-no-subscriptions if it doesn't have a subscription
az login --allow-no-subscriptions

appName="AzureCP"

echo "Creating application '$appName'..."
az ad app create --display-name "$appName" --key-type Password --credential-description 'client secret'
appId=$(az ad app list --display-name "$appName" --query '[].[appId]' -o tsv)

echo "Creating service principal for application id '$appId'..."
az ad sp create --id $appId
# Get the objectId of the service principal, needed to grant the required permissions
spObjectId=$(az ad sp list --filter "appId eq '$appId'" --query '[].[appId, objectId, appDisplayName]' -o tsv | cut -f2)
echo "Application '$appName' was created with client id '$appId', and its service principal with objectId '$spObjectId'"

# Create a secret
appSecret=$(az ad app credential reset --id $appId -o tsv | cut -f3)

# Retrieve the id of the permissions to grant
userPermId=$(az ad sp show --id 00000003-0000-0000-c000-000000000000 --query "appRoles[?value=='User.Read.All'].id" --output tsv)
groupPermId=$(az ad sp show --id 00000003-0000-0000-c000-000000000000 --query "appRoles[?value=='GroupMember.Read.All'].id" --output tsv)
msGraphResourceId=$(az ad sp show --id 00000003-0000-0000-c000-000000000000 --query "objectId" --output tsv)

# Add the permissions required to the definition of the application (optional as it is just a declaration of the permissions needed)
az ad app update --id $appId --required-resource-accesses "[{
        \"resourceAppId\": \"00000003-0000-0000-c000-000000000000\",
        \"resourceAccess\": [{
                        \"id\": \"$userPermId\",
                        \"type\": \"Role\"
                },
                {
                        \"id\": \"$groupPermId\",
                        \"type\": \"Role\"
                }
        ]
        }]"

echo "Grant admin consent to Microsoft Graph permissions User.Read.All (id '$userPermId') and GroupMember.Read.All (id '$groupPermId') for service principal '$spObjectId'..."
# Wait before granting the permissions to avoid error "Request_ResourceNotFound" on the service principal just created
sleep 20
# Grant permissions to the service principal of the application
az rest --method POST \
        --uri "https://graph.microsoft.com/v1.0/servicePrincipals/$spObjectId/appRoleAssignments" \
        --body "{
        \"principalId\": \"$spObjectId\",
        \"resourceId\": \"$msGraphResourceId\",
        \"appRoleId\": \"$userPermId\"
        }"

az rest --method POST \
        --uri "https://graph.microsoft.com/v1.0/servicePrincipals/$spObjectId/appRoleAssignments" \
        --body "{
        \"principalId\": \"$spObjectId\",
        \"resourceId\": \"$msGraphResourceId\",
        \"appRoleId\": \"$groupPermId\"
        }"

echo "Application $appName was created with client id '$appId' and client secret '$appSecret'"