Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save timwebster9/99c26b9aa58c4b4b22c800bb41faf1ee to your computer and use it in GitHub Desktop.
Save timwebster9/99c26b9aa58c4b4b22c800bb41faf1ee to your computer and use it in GitHub Desktop.
Create a Clone Service Principal https://markwarneke.me/2020-04-02-Clone-AzureAd-Service-Principal/ you can run the following automation steps. Make sure the authenticated user executing the steps has at least the Application Administrator Azure AD role - as this role is needed for the last step to grant permissions.
#!/usr/bin/env bash
# Name of the Clone Service Principal
appName="CloneServicePrincipal"
# Retrieve the teannt it
tenantId=$(az account show --query tenantId -o tsv)
# Create the Clone Service Principal
appId=$(az ad app create --display-name $appName --query appId -o tsv)
sp=$(az ad sp create --id $appId --query objectId -o tsv)
# Microsoft Graph API
API_Microsoft_Graph="00000003-0000-0000-c000-000000000000"
# Application.ReadWrite.OwnedBy
PERMISSION_MG_Application_ReadWrite_OwnedBy="18a4783c-866b-4cc7-a460-3d5e5662c884"
# Request Microsoft Graph API Application.ReadWrite.OwnedBy Permissions
az ad app permission add --id $appId --api $API_Microsoft_Graph --api-permissions $PERMISSION_MG_Application_ReadWrite_OwnedBy=Role
az ad app permission grant --id $appId --api $API_Microsoft_Graph --scope $PERMISSION_MG_Application_ReadWrite_OwnedBy
# Request Azure Active Directory Graph API Application.ReadWrite.OwnedBy Permissions
#
# NOTE: Azure CLI only uses this API (not the newer Microsoft Graph API above).
# More info here: https://github.com/Azure/azure-cli/issues/12946
#
# Azure Active Directory Graph API
API_Windows_Azure_Active_Directory="00000002-0000-0000-c000-000000000000"
# Application.ReadWrite.OwnedBy
PERMISSION_AAD_Application_ReadWrite_OwnedBy="824c81eb-e3f8-4ee6-8f6d-de7f50d565b7"
az ad app permission add --id $appId --api $API_Windows_Azure_Active_Directory --api-permissions $PERMISSION_AAD_Application_ReadWrite_OwnedBy=Role
az ad app permission grant --id $appId --api $API_Windows_Azure_Active_Directory --scope $PERMISSION_AAD_Application_ReadWrite_OwnedBy
# Grant Application & Delegated permissions through admin-consent
az ad app permission admin-consent --id $appId
# reset and output the login password for the SP
spPassword=$(az ad sp credential reset --name $appId --query password -o tsv)
echo "sleeping to allow password change to propagate..."
sleep 20
# Test creating a SP with the new SP
set -x
az logout && az login --service-principal -u $appId -p $spPassword --tenant $tenantId --allow-no-subscriptions
az ad sp create-for-rbac -n "TestApp" --skip-assignment
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment