Forked from MarkWarneke/New-CloneServicePrincipal.sh
Last active
July 23, 2020 14:20
-
-
Save timwebster9/99c26b9aa58c4b4b22c800bb41faf1ee to your computer and use it in GitHub Desktop.
Create a Clone Service Principal https://markwarneke.me/2020-04-02-Clone-AzureAd-Service-Principal/ you can run the following automation steps. Make sure the authenticated user executing the steps has at least the Application Administrator Azure AD role - as this role is needed for the last step to grant permissions.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# Name of the Clone Service Principal | |
appName="CloneServicePrincipal" | |
# Retrieve the teannt it | |
tenantId=$(az account show --query tenantId -o tsv) | |
# Create the Clone Service Principal | |
appId=$(az ad app create --display-name $appName --query appId -o tsv) | |
sp=$(az ad sp create --id $appId --query objectId -o tsv) | |
# Microsoft Graph API | |
API_Microsoft_Graph="00000003-0000-0000-c000-000000000000" | |
# Application.ReadWrite.OwnedBy | |
PERMISSION_MG_Application_ReadWrite_OwnedBy="18a4783c-866b-4cc7-a460-3d5e5662c884" | |
# Request Microsoft Graph API Application.ReadWrite.OwnedBy Permissions | |
az ad app permission add --id $appId --api $API_Microsoft_Graph --api-permissions $PERMISSION_MG_Application_ReadWrite_OwnedBy=Role | |
az ad app permission grant --id $appId --api $API_Microsoft_Graph --scope $PERMISSION_MG_Application_ReadWrite_OwnedBy | |
# Request Azure Active Directory Graph API Application.ReadWrite.OwnedBy Permissions | |
# | |
# NOTE: Azure CLI only uses this API (not the newer Microsoft Graph API above). | |
# More info here: https://github.com/Azure/azure-cli/issues/12946 | |
# | |
# Azure Active Directory Graph API | |
API_Windows_Azure_Active_Directory="00000002-0000-0000-c000-000000000000" | |
# Application.ReadWrite.OwnedBy | |
PERMISSION_AAD_Application_ReadWrite_OwnedBy="824c81eb-e3f8-4ee6-8f6d-de7f50d565b7" | |
az ad app permission add --id $appId --api $API_Windows_Azure_Active_Directory --api-permissions $PERMISSION_AAD_Application_ReadWrite_OwnedBy=Role | |
az ad app permission grant --id $appId --api $API_Windows_Azure_Active_Directory --scope $PERMISSION_AAD_Application_ReadWrite_OwnedBy | |
# Grant Application & Delegated permissions through admin-consent | |
az ad app permission admin-consent --id $appId | |
# reset and output the login password for the SP | |
spPassword=$(az ad sp credential reset --name $appId --query password -o tsv) | |
echo "sleeping to allow password change to propagate..." | |
sleep 20 | |
# Test creating a SP with the new SP | |
set -x | |
az logout && az login --service-principal -u $appId -p $spPassword --tenant $tenantId --allow-no-subscriptions | |
az ad sp create-for-rbac -n "TestApp" --skip-assignment |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment