Entra ID Application setup for Application permission type using Powershell

Modified on Wed, 15 Jan at 11:15 AM

Summary

During the configuration of OfficePlace, we need to create an application registration with rights to read Entra ID objects and read/write calendar entries and send emails in your O365 tenant.

The sections below explains the process of setting up the app with Powershell, and it is important that the script snippets are used in the same Powershell session to ensure that variables and variable values are carried over from one section to the next.

Note: Making use of this script requires prior knowledge about Powershell, and it is your responsibility to understand the script before using it. Add-On Products do not take any responsibility for the consequences of improper use.

Prepare powershell environment.

This guide explains the process of setting up the Entra ID application and associated RBAC in Exchange Online using Powershell, and hence it is important that certain modules are available on your machine.

In order to complete this task you will need the following components:

Powershell 7
ExchangeOnlineManagement module
Microsoft.graph module

Complete script is attached as zip.

Below scriptblock checks for installed modules and installs them if they are not present on your machine.

#Install required modules if missing
if(-not (Get-InstalledModule Microsoft.Graph.Authentication)){
  Install-Module Microsoft.Graph.Authentication -Scope CurrentUser -Force
  }

if(-not (Get-InstalledModule Microsoft.Graph.Applications)){
  Install-Module Microsoft.Graph.Applications -Scope CurrentUser -Force
  }

if(-not (Get-InstalledModule Microsoft.Graph.Identity.DirectoryManagement)){
  Install-Module Microsoft.Graph.Identity.DirectoryManagement -Scope CurrentUser -Force
  }

if(-not (Get-InstalledModule Microsoft.Graph.Identity.signins)){
    Install-Module Microsoft.Graph.Identity.signins -Scope CurrentUser -Force
    }

#Import Module
Import-Module Microsoft.Graph.Authentication
Import-Module Microsoft.Graph.Applications
Import-Module Microsoft.Graph.Identity.DirectoryManagement
Import-Module Microsoft.Graph.Identity.signins

Define script variables

Before creating the Entra ID app you must define a set of variables.

AppName - Define the name of the Entra ID app
SecretDuration - Set expiration timeline of the Entra ID secret in months
ServiceAccountUPN - UPN of service account

$AppName =  "OfficePlace app access"
$SecretDuration = 120
$ServiceAccountUPN = "[email protected]"

Create Entra ID application

Now it is time to create the Entra ID application according to the variables above.

The script below will create the application, but will exit in case an application with the same name already exists and leave it to you to manually delete that existing application or choose a different name for this new application.

The values of the application will be stored in a text file in Downloads folder and notepad will open presenting the values.

###############################################################################
#Connect to your tenant with Graph and required scopes
###############################################################################
Connect-MgGraph -Scopes "Application.ReadWrite.All","User.Read.All","Domain.Read.All", "DelegatedPermissionGrant.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"
Get-MgContext
Write-Host "Tenant Name: " (Get-MgDomain | Where-object {$_.IsInitial -eq $true}).id

###############################################################################
#Create AAD Application
###############################################################################
$ExistingApp = Get-MgApplication -Filter "startswith(displayName,'$AppName')"
If ($ExistingApp){
	Write-Warning -Message "Applicaiton already exist - Exiting script"
	Write-Warning -Message "Please delete application $($ExistingApp.AppId) before you proceed with this script"
    break
}Else{
	$App = New-MgApplication -DisplayName $AppName 
}
$APPObjectID = $App.Id

###############################################################################
#Add Current user as Owner
###############################################################################
$User = get-mguser -UserId (Get-MgContext).Account 
$ObjectId = $User.ID
$NewOwner = @{
	"@odata.id"= "https://graph.microsoft.com/v1.0/directoryObjects/{$ObjectId}"
	}
New-MgApplicationOwnerByRef -ApplicationId $APPObjectID -BodyParameter $NewOwner

###############################################################################
#Add a ClientSecret
###############################################################################
$passwordCred = @{
	"displayName" = "ClientSecret"
	"endDateTime" = (Get-Date).AddMonths(+$SecretDuration)
}
$ClientSecret = Add-MgApplicationPassword -ApplicationId $APPObjectID -PasswordCredential $passwordCred

###############################################################################
#Redirect URI
#If you need to add Redirect URI's.
###############################################################################
#Redirect URI

$RedirectURI = @()
$RedirectURI += "https://admin.officeplace.global/"
$params = @{
	RedirectUris = @($RedirectURI)
}

$Web = @{
    implicitGrantSettings = @{
        enableIdTokenIssuance = $true
        enableAccessTokenIssuance = $true
    }
}

Update-MgApplication -ApplicationId $APPObjectID -Spa $params -Web $Web

###############################################################################
#Add Api Permissions
###############################################################################

$requiredGrants = New-Object -TypeName System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphRequiredResourceAccess]
$requiredResourceAccess = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphRequiredResourceAccess
$requiredResourceAccess.ResourceAppId = "00000003-0000-0000-c000-000000000000"
$requiredResourceAccess.ResourceAccess+=@{ Id = "98830695-27a2-44f7-8c18-0c3ebc9698f6"; Type = "Role" } #GroupMember.Read.All - Application
$requiredResourceAccess.ResourceAccess+=@{ Id = "df021288-bdef-4463-88db-98f22de89214"; Type = "Role" } #User.Read.All - Application
$requiredGrants.Add($requiredResourceAccess)
$requiredResourceAccess = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphRequiredResourceAccess
$requiredResourceAccess.ResourceAppId = "00000002-0000-0ff1-ce00-000000000000"
$requiredResourceAccess.ResourceAccess+=@{ Id = "ab4f2b77-0b06-4fc1-a9de-02113fc2ab7c"; Type = "Scope" } #Exchange.Manage - Delegated
$requiredGrants.Add($requiredResourceAccess)

Update-MgApplication -ApplicationId $APPObjectID -RequiredResourceAccess $requiredGrants

###############################################################################
#Create Service Principal if it does not exist.
###############################################################################

$Principal = Get-MgServicePrincipal -Filter "appId eq '$($App.appId)'"
if (-not $Principal) {
	Write-Host "Creating client app's service principal"
	$Principal = New-MgServicePrincipal -AppId $App.appId -Description $App.DisplayName
}
Write-Host "Client: '$($Principal.displayName)' (appId: $($Principal.appId))"

###############################################################################
#Grant Admin Consent 
###############################################################################

$Resource = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'"

# Grant consent to the application permission
New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $Principal.Id -PrincipalId $Principal.Id -ResourceId $Resource.id -AppRoleId "98830695-27a2-44f7-8c18-0c3ebc9698f6"
New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $Principal.Id -PrincipalId $Principal.Id -ResourceId $Resource.id -AppRoleId "df021288-bdef-4463-88db-98f22de89214"

#Grant specific user consent for delegated Exchange permission Exchange.Manage
$Resource = Get-MgServicePrincipal -Filter "displayName eq 'Office 365 Exchange Online'"
$ServiceAccountUser = Get-MgUser -UserId $ServiceAccountUPN
$params = @{

	"ClientId" = $Principal.Id
	"ConsentType" = "Principal"
	"ResourceId" = $Resource.id
	"Scope" = "Exchange.Manage"
	"PrincipalId" = $ServiceAccountUser.Id
	}

New-MgOauth2PermissionGrant -BodyParameter $params | Format-List Id, ClientId, ConsentType, ResourceId, Scope

###############################################################################
#App details to be used
###############################################################################

$ResultFile = "" + (New-Object -ComObject Shell.Application).Namespace('shell:Downloads').Self.Path + "\" + $AppName + ".txt"
$resultset=@"
Tenant ID: $((Get-MgOrganization).Id)
Tenant Name: $((Get-MgDomain | Where-object {$_.IsInitial -eq $true}).id)
App principal ID: $($app.AppID)
App Secret: $($clientSecret.SecretText)
"@

$resultset | out-file -FilePath $ResultFile
Invoke-Item $ResultFile

Implement application settings in OfficePlace

Once the app described above has been created, you must collect this information for configuration in OfficePlace.

The powershell script above has created a text file in your download folder with the same name you gave the Entra ID application, and within you can find the details matching the configuration dialog in OfficePlace as seen in the screenshot below.

Properties

Applies to: OfficePlace
Knowledge base ID: 0338
Last updated: Jan 09 2025