Add new API permissions to existing App registration for VB 365

With the release of the version 8 of VB 365, some additional permissions are needed on the registred app. Nothing to think about when you’re deploying a new app, but when you’re upgrading, you coudl re-use the existing app and extend it with the new requirements. I’m not a programmer, but I’ve tried to setup a small powershell script that based on your Application ID adds the necessary rights and also adds the app to the Global Reader role.

Feel free to check and modify it ! Could be a time-saver !

# Ensure that the required modules are installed
Install-Module -Name AzureAD -Force -AllowClobber
Install-Module -Name Microsoft.Graph -Force -AllowClobber

# Import modules
Import-Module AzureAD
Import-Module Microsoft.Graph

# Connect to the Microsoft Tenant
Write-Host "Connecting to Microsoft Tenant..." -ForegroundColor Cyan
Connect-AzureAD

# Get Application (App Registration) ID
$appId = Read-Host "Please enter the Application (Client) ID for the App Registration"

# Get the Application's Object ID
$app = Get-AzureADApplication -Filter "AppId eq '$appId'"
$appObjectId = $app.ObjectId

if (!$appObjectId) {
    Write-Host "Invalid Application ID" -ForegroundColor Red
    exit
}

# Add API Permissions
Write-Host "Adding API Permissions..." -ForegroundColor Cyan

# Define the API permissions required (for Microsoft Graph)
$graphServicePrincipal = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" # Microsoft Graph

$apiPermissions = @(
    @{PermissionName = "ChannelMember.ReadWrite.All"; PermissionType = "Application"},
    @{PermissionName = "ChannelMember.ReadWrite.All"; PermissionType = "Delegated"},
    @{PermissionName = "Files.Read.All"; PermissionType = "Application"},
    @{PermissionName = "Exchange.ManageAsApp"; PermissionType = "Application"}
)

# Loop through the permissions and add them to the app
foreach ($perm in $apiPermissions) {
    if ($perm.PermissionType -eq "Application") {
        $apiPermission = $graphServicePrincipal.AppRoles | Where-Object { $_.Value -eq $perm.PermissionName }
    } elseif ($perm.PermissionType -eq "Delegated") {
        $apiPermission = $graphServicePrincipal.Oauth2Permissions | Where-Object { $_.Value -eq $perm.PermissionName }
    }

    if ($apiPermission) {
        # Add the permission to the App (Application type)
        New-AzureADServiceAppRoleAssignment -Id $apiPermission.Id -ResourceId $graphServicePrincipal.ObjectId -PrincipalId $appObjectId
        Write-Host "Added permission: $($perm.PermissionName) ($($perm.PermissionType))" -ForegroundColor Green
    } else {
        Write-Host "Permission $($perm.PermissionName) ($($perm.PermissionType)) not found" -ForegroundColor Red
    }
}

Write-Host "API Permissions added successfully." -ForegroundColor Green

# Assign App Registration to Global Reader Role
Write-Host "Assigning App Registration to Global Reader role..." -ForegroundColor Cyan

# Get the role definition for Global Reader
$globalReaderRole = Get-AzureADDirectoryRole | Where-Object { $_.DisplayName -eq "Global Reader" }

# Assign Global Reader role to the Application
if ($globalReaderRole) {
    Add-AzureADDirectoryRoleMember -ObjectId $globalReaderRole.ObjectId -RefObjectId $appObjectId
    Write-Host "Global Reader role assigned successfully." -ForegroundColor Green
} else {
    Write-Host "Global Reader role not found." -ForegroundColor Red
}

Write-Host "Script execution completed." -ForegroundColor Cyan

Page 1 / 1

nice one, had exactly this issue after update my lab. But i was lazy and simply redeployed the Azure App ;)

Nice, thanks for this!

Whoa!..great effort there @kristofpoppe . Thanks for sharing!

Good timing for this as we are doing our upgrade planning so this may come in handy. Thanks for the share.

Comment

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded