Modifier

Partager via


Create a custom application

Prerequisites

To create a custom application and grant it permissions, you need:

  • A Microsoft Entra user account. If you don't already have one, you can Create an account for free.
  • One of the following roles: Cloud Application Administrator, or Application Administrator.
  • Required scopes (PowerShell): AppRoleAssignment.ReadWrite.All, Application.ReadWrite.All, User.Read.All, Group.Read.All, DelegatedPermissionGrant.ReadWrite.All

Create an application using PowerShell

Use the custom application to isolate and limit the permissions granted for a Microsoft Entra resource.

# Connect to Entra with required scopes
Connect-Entra -Scopes 'Application.ReadWrite.All'

# Define application name and redirect URI
$appName = 'Entra PowerShell Helpdesk App'
$redirectUri = 'http://localhost'

# Create a new application
$app = New-EntraApplication -DisplayName $appName -PublicClient @{ RedirectUris = $redirectUri } -IsFallbackPublicClient $False

# Create a service principal for the application
$servicePrincipal = New-EntraServicePrincipal -AppId $app.AppId

Enable assignment required feature

# Set service principal parameters
Set-EntraServicePrincipal -ServicePrincipalId $servicePrincipal.Id -AppRoleAssignmentRequired $True

Assign users and groups

# Get a user and a group
$user = Get-EntraUser -UserId 'AdeleV@contoso.com'
$group = Get-EntraGroup -Search 'Sales and Marketing'

# Assign users and groups to the application
$emptyGuidUser = [Guid]::Empty.ToString()
New-EntraUserAppRoleAssignment -ObjectId $user.Id -PrincipalId $user.Id -ResourceId $servicePrincipal.Id -Id $emptyGuidUser

$emptyGuidGroup = [Guid]::Empty.ToString()
New-EntraGroupAppRoleAssignment -GroupId $group.Id -PrincipalId $group.Id -ResourceId $servicePrincipal.Id -Id $emptyGuidGroup

Define required resources and permissions

# Get Graph service principal
$graphApiId = '00000003-0000-0000-c000-000000000000'
$graphServicePrincipal = Get-EntraServicePrincipal -Filter "AppId eq '$graphApiId'"
$delegatedPermission = 'User.Read.All'
$app = Get-EntraApplication -Filter "DisplayName eq '$appName'"

# Create resource access object
$resourceAccessDelegated = New-Object Microsoft.Open.MSGraph.Model.ResourceAccess
$resourceAccessDelegated.Id = ((Get-EntraServicePrincipal -ServicePrincipalId $graphServicePrincipal.Id).Oauth2PermissionScopes | Where-Object { $_.Value -eq $delegatedPermission }).Id
$resourceAccessDelegated.Type = 'Scope'

# Create required resource access object
$requiredResourceAccessDelegated = New-Object Microsoft.Open.MSGraph.Model.RequiredResourceAccess
$requiredResourceAccessDelegated.ResourceAppId = $graphApiId
$requiredResourceAccessDelegated.ResourceAccess = $resourceAccessDelegated

# Set application required resource access
Set-EntraApplication -ApplicationId $app.Id -RequiredResourceAccess $requiredResourceAccessDelegated

Assign API permissions to the custom application

You can assign either delegated permissions or application permissions to the application.

$delegatedPermission = 'User.Read.All'
$graphApiId = '00000003-0000-0000-c000-000000000000'
$servicePrincipal = Get-EntraServicePrincipal -Filter "DisplayName eq '$appName'"
$graphServicePrincipal = Get-EntraServicePrincipal -Filter "AppId eq '$graphApiId'"

# Grant OAuth2 permission
New-EntraOauth2PermissionGrant -ClientId $servicePrincipal.Id -ConsentType 'AllPrincipals' -ResourceId $graphServicePrincipal.Id -Scope $delegatedPermission

Resources

Download and run the complete script:

Prerequisites

To create a custom application and grant it permissions, you need:

  • A Microsoft Entra user account. If you don't already have one, you can Create an account for free.
  • One of the following roles: Cloud Application Administrator, or Application Administrator.

Create an application in the Microsoft Entra admin center

To create custom applications for connecting to Microsoft Entra ID using Microsoft Entra PowerShell, follow the steps in the following section. Use the custom application to isolate and limit the permissions granted for a Microsoft Entra resource.

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
  2. Browse to Identity > Applications > App registrations and then select New Registration.
  3. Enter a name for your application, for example Entra PowerShell Five.
  4. For Supported account types, select Accounts in this organization directory.
  5. For Redirect URI select: - Public client/native from the drop-down - URI value: http://localhost
  6. Select Register.

Note

In the app's Overview section, copy the Application (client ID) and Directory (tenant) ID. You use the values when connecting to Microsoft Entra ID.

Enable assignment required feature

To manage the resources that your application gets access to in your tenant, locate the application's service principal in the Enterprise applications pane.

  1. Browse to Identity > Applications > Enterprise applications > All applications and select the application you created.
  2. Under Manage, select Properties and set Assignment required? to Yes.
  3. Select Save.

Assign users and groups

  1. Under Manage, select Users and groups.
  2. Select Add user/group and add the users and groups permitted to use this application.
  3. Once you add all the users and groups, select Assign.

Assign API permissions to the custom application

You need to set up Microsoft Graph permissions for the new application to connect to Microsoft Entra ID and manage Microsoft Entra resources.

  1. Browse to Identity > Applications > App Registrations > All applications and select the application you created.
  2. Under API permissions, select Add a permission > select Microsoft APIs > Microsoft Graph.
  3. Choose the type of permissions you require, either delegated or application permissions.
    • If you need to sign in to the app to manage your resources in Microsoft Entra ID, select Delegated permissions.
    • If you want the app to access Microsoft Entra resources on its own without user interaction, select Application permissions
  4. Search for the required permission, for example, User.Read.All.
  5. Select Grant admin consent for TenantName. Select Yes. Ensure the status shows a green checkmark.

Sign-in using the new app

You can now use the newly created app by connecting with:

Connect-Entra -ClientId <Your_APPLICATION_Id_Here> -TenantId <Your_TENANT_Id_Here>

For more connection options, see the Connect-Entra command details.