This blog shows how to setup Azure App Registrations using Azure CLI and Powershell. The scripts setup the configuration for the applications created in the previous posts in this serious. The aim was to achieve the same as configured in the Azure Portal. This is not possible with the current version of Azure CLI. A few steps still need to be completed manually.

Code: https://github.com/damienbod/AzureAD-Auth-MyUI-with-MyAPI

Posts in this Series

• Login and use an ASP.NET Core API with Azure AD Auth and user access tokens
• Angular SPA with an ASP.NET Core API using Azure AD Auth and user access tokens
• Restricting access to an Azure AD protected API using Azure AD Groups
• Using Azure CLI to create Azure App Registrations

The scripts are organised so that you can create the Azure infrastructure using the create_app_registrations with one or two parameters. Before you call the script, you need to login with the az login, and install Azure CLI if not already installed. The script requires the tenantId as parameter. This is where the App registrations will be created.

.\create_app_registrations.ps1 "your tenantId"

The create_app_registrations calls three separate scripts to create the different apps. An App registration is created for the API, a Web UI App registration is created, and the group and the Enterprise APP is updated.

Param( [string]$tenantId = "", [string]$secretForWebApp = "" )

function testParams() {

	if (!$tenantId) 
	{ 
		Write-Host "tenantId is null"
		exit 1
	}

	if (!$secretForWebApp) 
	{ 
		Write-Host "secretForWebApp is not defined, creating one"
		$secretForWebApp = New-Guid
	}
	return $secretForWebApp
}

function testSubscription {
    $account = az account show | ConvertFrom-Json
	$accountTenantId = $account.tenantId
    if ($accountTenantId -ne $tenantId) 
	{ 
		Write-Host "$accountTenantId not possible, change account"
		exit 1
	}
	$accountName = $account.name
    Write-Host "tenant: $accountName can update"
}

$secretForWebApp = testParams
testSubscription

Write-Host "tenantId $tenantId"
Write-Host "secretForWebApp $secretForWebApp"
Write-Host "-----------"
Write-Host (az version)
Write-Host "-----------"

# Create API App Registration
$createdAppRegAppIdApi = &".\api_create_azure_app_registration.ps1" $tenantId | select -Last 1
Write-Host "Created Api App registraion: $createdAppRegAppIdApi"

# Create Server Rendered App Registration
$createdAppRegAppIdServerRenderedUI = &".\server_rendered_create_azure_app_registration.ps1" $tenantId $createdAppRegAppIdApi $secretForWebApp | select -Last 1
Write-Host "Created Server Rendered App registraion: $createdAppRegAppIdServerRenderedUI"

# Create Group and Update Azure AD Enterprise APP for the API App Registration 
$groupName = &".\app_group_enterprise.ps1" $tenantId $createdAppRegAppIdApi  | select -Last 1
Write-Host "Created Group and updated Azure AD Enterprise APP for the API App Registration, groupName: $groupName"

Write-Host "Add the $groupName group to the App Registration and add users"

Creating the Azure Registration for the API

The API script creates the infrastructure in different steps. The App Registration is created in the first step and the optional claims are added after that. The oauth2Permissions are used to add the scopes. This is a bit complicated because you need to disable the default scope which was created in the create command, and then delete this. When creating an App registration using Azure CLI, it adds a default permission, which needs to be disabled before you can remove this or update. A service principle is created for the App registration.

Param( [string]$tenantId = "" )
$displayNameApi = "mi-api"
$bodyApi = '{
	"signInAudience" : "AzureADandPersonalMicrosoftAccount", 
	"groupMembershipClaims": "None"
}' | ConvertTo-Json | ConvertFrom-Json
$userAccessScopeApi = '{
		"lang": null,
		"origin": "Application",		
		"adminConsentDescription": "Allow access to the API",
		"adminConsentDisplayName": "mi-api-access",
		"id": "--- replaced in scripts ---",
		"isEnabled": true,
		"type": "User",
		"userConsentDescription": "Allow access to mi-api access_as_user",
		"userConsentDisplayName": "Allow access to mi-api",
		"value": "access_as_user"
}' | ConvertTo-Json | ConvertFrom-Json

##################################
### testParams
##################################

function testParams {

	if (!$tenantId) 
	{ 
		Write-Host "tenantId is null"
		exit 1
	}
}

testParams

Write-Host "Begin API Azure App Registration"

##################################
### Create Azure App Registration
##################################

$identifierApi = New-Guid
$identifierUrlApi = "api://" + $identifierApi
$myApiAppRegistration = az ad app create `
	--display-name $displayNameApi `
	--available-to-other-tenants true `
	--oauth2-allow-implicit-flow  false `
	--identifier-uris $identifierUrlApi `
	--required-resource-accesses `@api_required_resources.json 

$myApiAppRegistrationResult = ($myApiAppRegistration | ConvertFrom-Json)
$myApiAppRegistrationResultAppId = $myApiAppRegistrationResult.appId
Write-Host " - Created API $displayNameApi with myApiAppRegistrationResultAppId: $myApiAppRegistrationResultAppId"

##################################
### Add optional claims to App Registration 
##################################

az ad app update --id $myApiAppRegistrationResultAppId --optional-claims `@api_optional_claims.json
Write-Host " - Optional claims added to App Registration: $myApiAppRegistrationResultAppId"

##################################
###  Add scopes (oauth2Permissions)
##################################

# 1. read oauth2Permissions
$oauth2PermissionsApi = $myApiAppRegistrationResult.oauth2Permissions

# 2. set to enabled to false from the defualt scope, because we want to remove this
$oauth2PermissionsApi[0].isEnabled = 'false'
$oauth2PermissionsApi = ConvertTo-Json -InputObject @($oauth2PermissionsApi) 
# Write-Host "$oauth2PermissionsApi" 
# disable oauth2Permission in Azure App Registration
$oauth2PermissionsApi | Out-File -FilePath .\oauth2Permissionsold.json
az ad app update --id $myApiAppRegistrationResultAppId --set oauth2Permissions=`@oauth2Permissionsold.json

# 3. delete the default oauth2Permission
az ad app update --id $myApiAppRegistrationResultAppId --set oauth2Permissions='[]'

# 4. add the new scope required add the new oauth2Permissions values
$oauth2PermissionsApiNew += (ConvertFrom-Json -InputObject $userAccessScopeApi)
$oauth2PermissionsApiNew[0].id = $identifierApi
$oauth2PermissionsApiNew = ConvertTo-Json -InputObject @($oauth2PermissionsApiNew) 
# Write-Host "$oauth2PermissionsApiNew" 
$oauth2PermissionsApiNew | Out-File -FilePath .\oauth2Permissionsnew.json
az ad app update --id $myApiAppRegistrationResultAppId --set oauth2Permissions=`@oauth2Permissionsnew.json
Write-Host " - Updated scopes (oauth2Permissions) for App Registration: $myApiAppRegistrationResultAppId"

##################################
###  Create a ServicePrincipal for the API App Registration
##################################

az ad sp create --id $myApiAppRegistrationResultAppId | Out-String | ConvertFrom-Json
Write-Host " - Created Service Principal for API App registration"

return $myApiAppRegistrationResultAppId

Creating the Azure Registration for the Server Rendered UI

The App registration for the server rendered UI is like the API one. The reply URLs need to be added and the logout parameter. The id for the scope which was created in the API App registration needs to be added to the scopes of the WEB App registration. A client secret is also required as this is a trusted application.

Param( [string]$tenantId = "", [string]$inputAppIdApi = "", [string]$secretForWebApp = "" )

$replyUrlsSrUI = "https://localhost:44344/signin-oidc"
$logoutUrl = "https://localhost:44344/signout-callback-oidc"
$displayNameSrUI = "mi-server-rendered-portal"
$bodySrUI = '{
	"signInAudience" : "AzureADandPersonalMicrosoftAccount", 
	"groupMembershipClaims": "None"
}' | ConvertTo-Json | ConvertFrom-Json

$requiredResourceAccessesSrUI = '[{
	"resourceAppId": "00000003-0000-0000-c000-000000000000",
	"resourceAccess": [
		{
			"id": "64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0",
			"type": "Scope"
		},
		{
			"id": "7427e0e9-2fba-42fe-b0c0-848c9e6a8182",
			"type": "Scope"
		},
		{
			"id": "37f7f235-527c-4136-accd-4a02d197296e",
			"type": "Scope"
		},
		{
			"id": "14dad69e-099b-42c9-810b-d002981feec1",
			"type": "Scope"
		},
		{
			"id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
			"type": "Scope"
		}
	]
},
{
	"resourceAppId": "-- replace --",
	"resourceAccess": [
		{
			"id": "-- replace --",
			"type": "Scope"
		}
	]
}]' | ConvertTo-Json | ConvertFrom-Json

##################################
### testParams
##################################

function testParams {

	if (!$tenantId) 
	{ 
		Write-Host "tenantId is null"
		exit 1
	}

	if (!$inputAppIdApi) 
	{ 
		Write-Host "inputAppIdApi is null"
		exit 1
	}
	
	if (!$secretForWebApp) 
	{ 
		Write-Host "secretForWebApp is null"
		exit 1
	}
}

testParams

Write-Host "Begin ServerRendered Azure App Registration"

$appDataFromInputAppIdApi = az ad app show --id $inputAppIdApi | Out-String | ConvertFrom-Json
$appDataFromInputAppIdApiOauth2Permissions = $appDataFromInputAppIdApi.oauth2Permissions[0]

$requiredResourceAccessesSrUIData = ConvertFrom-Json $requiredResourceAccessesSrUI
# add the API values to the requiredResourceAccessesSrUIData
$requiredResourceAccessesSrUIData[1].resourceAppId = $inputAppIdApi
$requiredResourceAccessesSrUIData[1].resourceAccess[0].id = $appDataFromInputAppIdApiOauth2Permissions.id
$requiredResourceAccessesSrUINew =  $requiredResourceAccessesSrUIData | ConvertTo-Json -Depth 5
# Write-Host "$requiredResourceAccessesNew" 
 
$requiredResourceAccessesSrUINew | Out-File -FilePath .\server_rendered_required_resources.json
Write-Host " - Updated required-resource-accesses for new App Registration"

##################################
### Create Azure App Registration
##################################

$myServerRenderedAppRegistration = az ad app create `
	--display-name $displayNameSrUI `
	--available-to-other-tenants true `
	--oauth2-allow-implicit-flow  false `
	--reply-urls $replyUrlsSrUI `
	--password $secretForWebApp `
	--required-resource-accesses `@server_rendered_required_resources.json

$myServerRenderedAppRegistrationData = ($myServerRenderedAppRegistration | ConvertFrom-Json)
$myServerRenderedAppRegistrationDataAppId = $myServerRenderedAppRegistrationData.appId
Write-Host " - Created ServerRendered $displayNameSrUI with appId: $myServerRenderedAppRegistrationDataAppId"

##################################
###  add logoutUrl
##################################

az ad app update --id $myServerRenderedAppRegistrationDataAppId --set logoutUrl=$logoutUrl
Write-Host " - Updated logoutUrl"

##################################
### Add optional claims to App Registration 
##################################

az ad app update --id $myServerRenderedAppRegistrationDataAppId --optional-claims `@server_rendered_optional_claims.json
Write-Host " - Optional claims added to App Registration: $myServerRenderedAppRegistrationDataAppId"

##################################
###  Remove scopes (oauth2Permissions)
##################################

# 1. read oauth2Permissions
$oauth2PermissionsSrUI = $myServerRenderedAppRegistrationData.oauth2Permissions

# 2. set to enabled to false from the defualt scope, because we want to remove this
$oauth2PermissionsSrUI[0].isEnabled = 'false'
$oauth2PermissionsSrUI = ConvertTo-Json -InputObject @($oauth2PermissionsSrUI) 
# Write-Host "$oauth2PermissionsSrUI" 
# disable oauth2Permission in Azure App Registration
$oauth2PermissionsSrUI | Out-File -FilePath .\oauth2Permissionsold.json
az ad app update --id $myServerRenderedAppRegistrationDataAppId --set oauth2Permissions=`@oauth2Permissionsold.json

# 3. delete the default oauth2Permission
az ad app update --id $myServerRenderedAppRegistrationDataAppId --set oauth2Permissions='[]'
Write-Host " - Updated scopes (oauth2Permissions) for App Registration: $myServerRenderedAppRegistrationDataAppId"

##################################
###  Create a ServicePrincipal for the ServerRendered App Registration
##################################

az ad sp create --id $myServerRenderedAppRegistrationDataAppId
Write-Host " - Created Service Principal for ServerRendered App registration"

return $myServerRenderedAppRegistrationDataAppId

Creating the Azure AD Group and update the Enterprise APP

The last script creates an Azure AD group in the Azure AD tenant. This group is used to add users which can access or use the API. The Enterprise APP for the WEB is setup to only allow defined users. You need to add the users yourself either using dynamic queries, or manually.

Param( [string]$tenantId = "", [string]$apiAppId = "" )
$groupName = "miapigroup"

function testParams {

	if (!$tenantId) 
	{ 
		Write-Host "tenantId is null"
		exit 1
	}

	if (!$apiAppId) 
	{ 
		Write-Host "apiAppId is null"
		exit 1
	}
}

testParams

Write-Host "Creating group and updating App Registration: $apiAppId"

##################################
### Create group
##################################

Write-Host " - Create new group"
$group = az ad group create `
	--display-name $groupName `
	--mail-nickname $groupName `

#Write-Host "$group" 
$groupObjectId = ($group | ConvertFrom-Json).objectId
Write-Host " - Created new group objectId: $groupObjectId"
	
##################################
### Only allowed defined users, groups use the app
##################################

az ad sp update --id $apiAppId --set appRoleAssignmentRequired=true
Write-Host " - Set user assigned true to APP registration"
#az ad sp show --id $apiAppId

##################################
### Assign group to App Registration
##################################

# NOT possible, you need to do this per Portal UI ...

#az ad group list --display-name $groupName
#az role assignment create --assignee $groupObjectId --resourceId $apiAppId --role "00000000-0000-0000-0000-000000000000"

return $groupName

Problems With Azure CLI and Azure App Registrations

Azure CLI comes short in a lot of ways when creating infrastructure for Azure App Registrations. You need to use the Azure portal to add the Azure AD group to the Azure AD Enterprise application. The signInAudience, groupMembershipClaims might need to be updated as well, depending on your requirements. For example, it is not possible to set the value AzureADandPersonalMicrosoftAccount for the signInAudience. You can use the graph API for this, but this does not work well together with Azure CLI.

1. Not possible to set all 4 values of the signInAudience property
2. Not possible to assign the Application to the group (Or not documentated)
3. Cannot update the groupMembershipClaims to one of the 3 values
4. It is not possible to create return URLs of type SPA
5. Using the Graph API seems to have problems when working together with Azure CLI. Items created with graph are not found by CLI or the other way around. The Graph API is also missing properties
6. The Azure CLI docs for creating Azure App Registrations are not good

Workarounds for the missing CLI features

The az rest command can be used to use the graph API to update the signInAudience and the groupMembershipClaims values. This works well the first time, but has problems running more than once in the same script.

az rest 
   --method PATCH 
   --uri 'https://graph.microsoft.com/v1.0/applications/7a7d2df0-0fce-4fd9-8bcd-87d62b967dae' 
   --headers 'Content-Type=application/json' 
   --body '{\"signInAudience\" : \"AzureADandPersonalMicrosoftAccount\", \"groupMembershipClaims\": \"None\"}'

This can also be executed with the Invoke-RestMethod powershell request, but with the same problem as the az rest.

# https://docs.microsoft.com/en-us/graph/api/application-update
$myServerRenderedAppRegistrationDataObjectId = $myServerRenderedAppRegistrationData.objectId
Write-Host " - id = srApp.objectId: $myServerRenderedAppRegistrationDataObjectId"
$tokenResponseSrUI = az account get-access-token --resource https://graph.microsoft.com
$tokenSrUI = ($tokenResponseSrUI | ConvertFrom-Json).accessToken
#Write-Host "$tokenSrUI"
$uriSrUI = 'https://graph.microsoft.com/v1.0/applications/' + $myServerRenderedAppRegistrationDataObjectId
Write-Host " - $uriSrUI"
$headersSrUI = @{
    "Authorization" = "Bearer $tokenSrUI"
}

Invoke-RestMethod `
	-ContentType application/json `
	-Uri $uriSrUI `
	-Method Patch `
	-Headers $headersSrUI `
	-Body $bodySrUI

Now just use the App registrations in the ASP.NET Core applications and everything should work. Add users to the Azure AD group to login.

Links

https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?view=azure-cli-latest

https://docs.microsoft.com/en-us/cli/azure/ad/app?view=azure-cli-latest#az-ad-app-create

https://www.vrdmn.com/2018/08/create-azure-ad-app-registration-with.html

https://www.frodehus.dev/add-scopes-to-azure-ad-via-azure-cli/

https://anmock.blog/2020/01/10/azure-cli-create-an-azure-ad-application-for-an-api-that-exposes-oauth2-permissions/

https://joonasw.net/view/defining-permissions-and-roles-in-aad

https://docs.microsoft.com/en-us/cli/azure/ad/group?view=azure-cli-latest#az-ad-group-create

https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal

https://docs.microsoft.com/en-us/graph/api/resources/application?view=graph-rest-1.0

https://winsmarts.com/update-azure-ad-applications-signinaudience-using-microsoft-graph-79b5af3ec901

https://developer.microsoft.com/graph/graph-explorer