The purpose of this PowerShell script is to assist with and automate the following tasks:
You will need the following:
#Set the variables below; The Display name of the App Registration (how it will appear in Azure) and details for the certificate to upload.
#The display name of the App Registration within Azure (Default "Spider-InTune")
$dispname = "Spider-InTune"
#Local path to the certificate file in the format *.crt
$certPath = "C:\certs\flextest22.onmicrosoft.com.crt"
#Certificate start date in the format MM/dd/yyyy HH:mm:ss
$certstart = ('08/14/2023 11:56:21')
#Certificate end date in the format MM/dd/yyyy HH:mm:ss
$certend = ('08/14/2033 12:06:21')
#Authenticate with Azure credentials
Connect-AzAccount
#Create a New App Registration
$App = New-AzADApplication -Displayname $dispname
#Decalare the 'AppId' as a variable
$AppId = $App.AppId
#Add the MS Graph API permission for "AppCatalog.Read.All" of type 'Application'
Add-AzADAppPermission -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId e12dae10-5a57-4817-b79d-dfbec5348930 -ApplicationID $AppId -Type Role
#Add the MS Graph API permission for "AuditLog.Read.All" of type 'Application'
Add-AzADAppPermission -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId b0afded3-3588-46d8-8b3d-9842eff778da -ApplicationID $AppId -Type Role
#Add the MS Graph API permission for "Device.Read.All" of type 'Application'
Add-AzADAppPermission -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId 7438b122-aefc-4978-80ed-43db9fcc7715 -ApplicationID $AppId -Type Role
#Add the MS Graph API permission for "DeviceManagementConfiguration.Read.All" of type 'Application'
Add-AzADAppPermission -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId dc377aa6-52d8-4e23-b271-2a7ae04cedf3 -ApplicationID $AppId -Type Role
#Add the MS Graph API permission for "DeviceManagemenManagedDevices.Read.All" of type 'Application'
Add-AzADAppPermission -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId 2f51be20-0bb4-4fed-bf7b-db946066c75e -ApplicationID $AppId -Type Role
#Add the MS Graph API permission for "Directory.Read.All" of type 'Application'
Add-AzADAppPermission -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId 7ab1d382-f21e-4acd-a863-ba3e13f7da61 -ApplicationID $AppId -Type Role
#Add the MS Graph API permission for "Domain.Read.All" of type 'Application'
Add-AzADAppPermission -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId dbb9058a-0e50-45d7-ae91-66909b5d4664 -ApplicationID $AppId -Type Role
#Add the MS Graph API permission for "Group.Read.All" of type 'Application'
Add-AzADAppPermission -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId 5b567255-7703-4780-807c-7be8301ae99b -ApplicationID $AppId -Type Role
#Add the MS Graph API permission for "Reports.Read.All" of type 'Application'
Add-AzADAppPermission -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId 230c1aed-a721-4c5d-9cb4-a90514e508ef -ApplicationID $AppId -Type Role
#Add the MS Graph API permission for "User.Read.All" of type 'Application'
Add-AzADAppPermission -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId df021288-bdef-4463-88db-98f22de89214 -ApplicationID $AppId -Type Role
# Convert certificate to base64 encoded string
$base64Cert = [Convert]::ToBase64String([System.IO.File]::ReadAllBytes($certPath))
# Set the certificate as a valid credential to the App Registration
New-AzADAppCredential -ApplicationId $AppId -CertValue $base64Cert -StartDate $certstart -EndDate $certend
Please note: Admin Consent is required for the API permissions to function, there is currently no method to grant Admin Consent using PowerShell commands. To grant Admin Consent it is required to log into Azure using the web interface and perform this manually.
Sep 04, 2024 01:22 PM