With the release of the version 8 of VB 365, some additional permissions are needed on the registred app. Nothing to think about when you’re deploying a new app, but when you’re upgrading, you coudl re-use the existing app and extend it with the new requirements. I’m not a programmer, but I’ve tried to setup a small powershell script that based on your Application ID adds the necessary rights and also adds the app to the Global Reader role.
Feel free to check and modify it ! Could be a time-saver !
# Ensure that the required modules are installed
Install-Module -Name AzureAD -Force -AllowClobber
Install-Module -Name Microsoft.Graph -Force -AllowClobber
# Import modules
Import-Module AzureAD
Import-Module Microsoft.Graph
# Connect to the Microsoft Tenant
Write-Host "Connecting to Microsoft Tenant..." -ForegroundColor Cyan
Connect-AzureAD
# Get Application (App Registration) ID
$appId = Read-Host "Please enter the Application (Client) ID for the App Registration"
# Get the Application's Object ID
$app = Get-AzureADApplication -Filter "AppId eq '$appId'"
$appObjectId = $app.ObjectId
if (!$appObjectId) {
Write-Host "Invalid Application ID" -ForegroundColor Red
exit
}
# Add API Permissions
Write-Host "Adding API Permissions..." -ForegroundColor Cyan
# Define the API permissions required (for Microsoft Graph)
$graphServicePrincipal = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'" # Microsoft Graph
$apiPermissions = @(
@{PermissionName = "ChannelMember.ReadWrite.All"; PermissionType = "Application"},
@{PermissionName = "ChannelMember.ReadWrite.All"; PermissionType = "Delegated"},
@{PermissionName = "Files.Read.All"; PermissionType = "Application"},
@{PermissionName = "Exchange.ManageAsApp"; PermissionType = "Application"}
)
# Loop through the permissions and add them to the app
foreach ($perm in $apiPermissions) {
if ($perm.PermissionType -eq "Application") {
$apiPermission = $graphServicePrincipal.AppRoles | Where-Object { $_.Value -eq $perm.PermissionName }
} elseif ($perm.PermissionType -eq "Delegated") {
$apiPermission = $graphServicePrincipal.Oauth2Permissions | Where-Object { $_.Value -eq $perm.PermissionName }
}
if ($apiPermission) {
# Add the permission to the App (Application type)
New-AzureADServiceAppRoleAssignment -Id $apiPermission.Id -ResourceId $graphServicePrincipal.ObjectId -PrincipalId $appObjectId
Write-Host "Added permission: $($perm.PermissionName) ($($perm.PermissionType))" -ForegroundColor Green
} else {
Write-Host "Permission $($perm.PermissionName) ($($perm.PermissionType)) not found" -ForegroundColor Red
}
}
Write-Host "API Permissions added successfully." -ForegroundColor Green
# Assign App Registration to Global Reader Role
Write-Host "Assigning App Registration to Global Reader role..." -ForegroundColor Cyan
# Get the role definition for Global Reader
$globalReaderRole = Get-AzureADDirectoryRole | Where-Object { $_.DisplayName -eq "Global Reader" }
# Assign Global Reader role to the Application
if ($globalReaderRole) {
Add-AzureADDirectoryRoleMember -ObjectId $globalReaderRole.ObjectId -RefObjectId $appObjectId
Write-Host "Global Reader role assigned successfully." -ForegroundColor Green
} else {
Write-Host "Global Reader role not found." -ForegroundColor Red
}
Write-Host "Script execution completed." -ForegroundColor Cyan