Azure Active Directory Powershell命令创建一个application以及App需要的权限

下面会用Powershell Azure AD实现创建一个自定义的App，其中包括Micrsoft Graph Read all groups权限添加，以及certificate证书验证上传证书的操作

1.获得自己自定义的证书的内容

#$certificatePath是自己证书的绝对路径    
$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 
$certificate.Import($certificatePath)
$certBinaries = $certificate.GetRawCertData()
$certHash = $certificate.GetCertHash();
$CertBase64 = [System.Convert]::ToBase64String($certBinaries)
$CustomKeyIdentifier=[System.Convert]::ToBase64String($certHash)

2.连接Azure AD,会弹出微软的用户输入窗口，输入有相应权限的用户

#$$TenantRegion是自己Tenant的区域，也可以输入$azureAd=Connect-AzureAD，默认是Global
$azureAd=Connect-AzureAD -AzureEnvironmentName $TenantRegion

3.建好Micrsoft Graph Read all groups权限的信息

$requiredAccess = New-Object 'System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]'    
#oliver test start
    #region Graph
        $graphApiAccess = New-Object 'Microsoft.Open.AzureAD.Model.RequiredResourceAccess'
        $graphApiAccess.ResourceAppId = '00000003-0000-0000-c000-000000000000'
        $graphApiAccess.ResourceAccess = New-Object 'System.Collections.Generic.List`1[Microsoft.Open.AzureAD.Model.ResourceAccess]'            
            #region Read all groups
            $GraphReadAllGroups=New-Object 'Microsoft.Open.AzureAD.Model.ResourceAccess'
            $GraphReadAllGroups.Id='5b567255-7703-4780-807c-7be8301ae99b'
            #role代表着application，scope代表着delegate
            $GraphReadAllGroups.Type='Role'
            #endregion                                 
        $graphApiAccess.ResourceAccess.Add($GraphReadAllGroups)                      
    #endregion

 其中Microsoft Graph以及包含的权限具体信息的获取可以在https://github.com/mjisaak/azure-active-directory获得

4.判断App是否存在根据name,如果存在就更新url，输入命令

#输入自定义的名字
$AppName='OliverTestApp'
$existApp = Get-AzureADApplication -Filter "DisplayName eq '$AppName'"
if($existApp -ne $null)
{
    //更新app的replyurl
}

5.更新replyurl和对应需要的Micrsoft Graph Read all groups权限

#自定义你的replyurl
$ReplyUrl='自定义你的replyurl'


$currentReplyUrls=$existApp[0].ReplyUrls
$urlExist=$false;
foreach($tempExistUrl in $currentReplyUrls)
{
         if($tempExistUrl.ToLower() -eq $ReplyUrl.ToLower())
         {
                            $urlExist=$true;
         }
}
if($urlExist)
{
        Set-AzureADApplication -RequiredResourceAccess $requiredAccess -ObjectId $existApp[0].ObjectId   
}
else
{
        $currentReplyUrls.Add($ReplyUrl)
        Set-AzureADApplication -RequiredResourceAccess $requiredAccess -ReplyUrls $currentReplyUrls -ObjectId $existApp[0].ObjectId
}                 

6.上传App证书，并且设置过期时间为一年

$EndTime=[System.DateTime]::Now.AddYears(1)
$tempKeyCreddential=New-AzureADApplicationKeyCredential -ObjectId $existApp[0].ObjectId -CustomKeyIdentifier $CustomKeyIdentifier -Type AsymmetricX509Cert -EndDate $EndTime -Usage Verify -Value $CertBase64  

7.如果App不存在就创建新的，并且传入replyurl，Micrsoft Graph Read all groups权限和证书

$application = New-AzureADApplication -DisplayName $AppName -ReplyUrls $replyUrlsForApp -RequiredResourceAccess $requiredAccess
$currentAppId = $application.AppId
$clientServicePrincipal = New-AzureADServicePrincipal -AppId $currentAppId
$tempKeyCreddential=New-AzureADApplicationKeyCredential -ObjectId $application.ObjectId -CustomKeyIdentifier $CustomKeyIdentifier -Type AsymmetricX509Cert -EndDate $certificate.NotAfter -StartDate $certificate.NotBefore -Usage Verify -Value $CertBase64

8.至此就创建成功，可以去azure portal上面查看自己创建的App(注意这里App还没有授权，图片中是后面Powershell脚本实现自动授权，不用用户点击登录授权)