In this post, we will explore how to create a new application (App registrations) in Azure Active Directory, configure required API permissions, and grant admin consent to use the permissions. We will also demonstrate how to get Tenant ID, Client ID, Secret Key, and generate Access Token by using the newly created application.
This article focuses on a single-tenant application where the application is intended to run within only one organization (within your organization). We will use the app to acquire access token and access Microsoft Graph API resources using PowerShell.
Summary
- Create new Azure AD Application (App registrations)
- Configure API Permissions in Azure AD Application
- Get Tenant ID, Application Client ID and Secret Key
- Get Access Token by Application permissions – On behalf of the app
- Get Access Token by Delegated permissions – On behalf of a user
- Use the Access Token to call Microsoft Graph API
Create new Azure AD Application (App registrations) from Azure AD portal
Follow the below steps to register a new application in Azure Active Directory.
- Sign in to the Azure AD portal, select Azure Active Directory.
- In the Azure Active Directory pane, under the Manage section, select App registrations > New registration.
- On the new App registration page, type name, select the account type to support only in the current organizational directory (Single-tenant), and set the Redirect URI as Public client/native (mobile & desktop) and set the URI value https://login.microsoftonline.com/common/oauth2/nativeclient. This will help us to get access tokens with Interactive flow in PowerShell.
- Click the Register button to create the new application.
- You can now see the newly created app details.
Configure API Permissions in Azure AD Application
Once you created a new application, we need to configure the required API permissions and grant consent (admin or user consent) to use the permissions in the current tenant, we can use either Delegated or Application permissions depending on the type of access required for the app. Follow the below steps to assign required permissions in the app and grant admin consent.
- Sign in to the Azure AD portal, select Azure Active Directory.
- In the Azure Active Directory pane, select App registrations, select the required app (click on app name hyperlink) to open the app configuration page.
- In the application configuration page, under the Manage section, select API permissions.
- On the permissions page, click Add a permission and select required resource API (ex: Microsoft Graph).
- Select the permissions type and select the required permissions. I have selected the Deletated permission “User.Read.All”. Click Add permissions button to add the selected permissions.
- Likewise, you can also select and add required Application permissions. I have selected the Application permissions “User.Read.All” and “Reports.Read.All”.
- You can view added permissions list under Configured permissions section.
- If you added permissions that require Admin consent, the required consent should already have been provided for the required permissions to acquire the access token for the configured permissions with this app.
- Click on the Grant admin consent option and click Yes to grant consent for the requested permissions for all accounts in your tenant. Ensure the consent is granted to all the required permissions by the green tick.
Get Tenant ID, Application Client ID and Secret Key
Once you successfully created and configured the Azure AD app by following the above steps, we can use the app to acquire Access Token. We need the application’s client ID, app secret password, and tenant ID to get access token, follow the below steps to get those details.
- Sign in to the Azure AD portal, select Azure Active Directory.
- In the Azure Active Directory pane, select App registrations, select the required app (click on app name hyperlink) to open the app configuration page.
- In the application configuration page, under the Overview tab, you can copy the Application (client) ID and Directory (tenant) ID. These are the values to be used in your code as a Client ID and Tenant ID.
- Under the Manage section, click on Certificates and secrets, click New client secret and add a new secret password for the app.
- You can copy the value of the client secret code and save it in a secure location (ex: Password vault or Azure Key vault). The secret code value will be hidden once you leave the app configuration blade.
Get Access Token by Application permissions – On behalf of the app
Once you configured the Azure AD application and get the app details such as Client ID, Client Secret, and Tenant ID. Replace the app details and run the following commands to get a resource access token with configured Application permissions.
#Provide your Office 365 Tenant Domain Name or Tenant Id
$TenantId = "contoso.onmicrosoft.com"
#$TenantId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
#Provide Application (client) Id of your app
$AppClientId="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
#Provide Application client secret key
$ClientSecret ="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
$RequestBody = @{client_id=$AppClientId;client_secret=$ClientSecret;grant_type="client_credentials";scope="https://graph.microsoft.com/.default";}
$OAuthResponse = Invoke-RestMethod -Method Post -Uri https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token -Body $RequestBody
$AccessToken = $OAuthResponse.access_token
Get Access Token by Delegated permissions – On behalf of a user
We can use the MSAL.PS library to acquire access tokens with Delegated permissions. Run the following command in PowerShell to install this module.
Install-Module -Name MSAL.PS
Run the following commands to get Access Token on behalf of a user.
#Provide your Office 365 Tenant Domain Name or Tenant Id
$TenantId = "contoso.onmicrosoft.com"
#$TenantId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
#Provide Application (client) Id of your app
$AppClientId="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$MsalParams = @{
ClientId = $AppClientId
TenantId = $TenantId
Scopes = "https://graph.microsoft.com/User.Read.All"
}
$MsalResponse = Get-MsalToken @MsalParams
$AccessToken = $MsalResponse.AccessToken
Use the Access Token to call Microsoft Graph API
Once you have acquired the required Access Token, we can use the Invoke-RestMethod cmdlet to call the Rest API with the access token. The below commands call the list users endpoint in the Microsoft Graph API resource and retrieve details of Azure AD users.
#Provide your access token.
#$AccessToken="eyJ0eXAiOiJ......"
#Form request headers with the acquired $AccessToken
$headers = @{'Content-Type'="application\json";'Authorization'="Bearer $AccessToken"}
#This request gets all users list.
$ApiUrl = "https://graph.microsoft.com/v1.0/users"
$Response = Invoke-RestMethod -Method GET -Uri $ApiUrl -ContentType "application\json" -Headers $headers
$Users = $Response.value
Thank you for this, I recently created a new app registration, I needed to also add Auditlog.read.all