{"id":25661967,"url":"https://github.com/locktar/azureadapplicationmanagement","last_synced_at":"2025-04-19T20:34:26.960Z","repository":{"id":33265032,"uuid":"145133338","full_name":"LockTar/AzureAdApplicationManagement","owner":"LockTar","description":"Azure AD Application Management with Azure DevOps pipeline tasks","archived":false,"fork":false,"pushed_at":"2024-06-11T09:45:58.000Z","size":10946,"stargazers_count":1,"open_issues_count":1,"forks_count":7,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-29T13:05:24.884Z","etag":null,"topics":["azure","azure-applications","azure-devops","azure-devops-extension","azure-pipelines"],"latest_commit_sha":null,"homepage":"https://marketplace.visualstudio.com/items?itemName=RalphJansen.Azure-AD-Application-Management","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/LockTar.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-08-17T14:53:55.000Z","updated_at":"2023-04-08T07:10:13.000Z","dependencies_parsed_at":"2025-02-24T03:33:24.454Z","dependency_job_id":"2a79714d-c309-4054-b2bb-0ae66554c869","html_url":"https://github.com/LockTar/AzureAdApplicationManagement","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LockTar%2FAzureAdApplicationManagement","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LockTar%2FAzureAdApplicationManagement/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LockTar%2FAzureAdApplicationManagement/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LockTar%2FAzureAdApplicationManagement/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/LockTar","download_url":"https://codeload.github.com/LockTar/AzureAdApplicationManagement/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":249795059,"owners_count":21326776,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure","azure-applications","azure-devops","azure-devops-extension","azure-pipelines"],"created_at":"2025-02-24T03:33:16.546Z","updated_at":"2025-04-19T20:34:26.932Z","avatar_url":"https://github.com/LockTar.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Azure AD Application Management\n\n[![Build status](https://ralphjansen.visualstudio.com/AzureAdApplicationManagement/_apis/build/status/Vsts-Extension?branchName=master)](https://ralphjansen.visualstudio.com/AzureAdApplicationManagement/_build/latest?definitionId=12\u0026branchName=master) [![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=LockTar_AzureAdApplicationManagement\u0026metric=alert_status)](https://sonarcloud.io/dashboard?id=LockTar_AzureAdApplicationManagement)\n\nAzure AD Application Management with Azure DevOps pipeline tasks. These Azure DevOps tasks are created with and tested on **Hosted windows-latest** agents.\n\nThis Azure DevOps extension contains the following tasks:\n\n- Get Azure AD Application\n- Set Azure AD Application (recommended)\n- Update Azure AD Application\n- Remove Azure AD Application\n\nIn order to use these tasks, follow the **prerequisite** steps in the [Get Started](#get-started) section.\n\n## Get Started\n\nIn order to use these tasks, a **prerequisite must be done** otherwise you will get an **unauthorized error**. Follow the steps below to fix the permission issue:\n\n1. Create an Azure Resource Manager endpoint in your Azure DevOps team project manually or let Azure DevOps create one for you.\n2. Go to the [Azure portal](https://portal.azure.com)\n3. In the Azure portal, navigate to **App Registrations**\n4. Select the created app registration. If you can't find it, you probably don't have the right permissions. You can still find the app registration by changing the tab to **All applications**.\n5. Check the **Owners** of the selected app registration (application). If your not an owner, find an **owner** or a **Global Administrator** (you will need a Global Admin in the next steps).\n6. Set the **API Permissions** at least with the following permissions below depending on the task versions you use.\n\n ### V4 extension tasks (Preview)\n Permissions: \n \n Alter you manifest manually by adding the following permissions below. They stand for **Microsoft Graph (00000003-0000-0000-c000-000000000000)** with the **application** permissions **Manage apps that this app creates or owns (Application.ReadWrite.OwnedBy)** and **Read directory data (Directory. Read.All)**. When you save this, this will result in the following array in the **manifest**:\n \n ```json\n \"requiredResourceAccess\": [\n {\n \"resourceAppId\": \"00000003-0000-0000-c000-000000000000\",\n \"resourceAccess\": [\n {\n \"id\": \"7ab1d382-f21e-4acd-a863-ba3e13f7da61\",\n \"type\": \"Role\"\n },\n {\n \"id\": \"18a4783c-866b-4cc7-a460-3d5e5662c884\",\n \"type\": \"Role\"\n }\n ]\n }\n ]\n ```\n \n ### V3 extension tasks\n Permissions: \n \n Alter you manifest manually by adding the following permissions below. They stand for **Azure Active Directory Graph (00000002-0000-0000-c000-000000000000)** and **Microsoft Graph (00000003-0000-0000-c000-000000000000)** with the **application** permissions **Manage apps that this app creates or owns (Application.ReadWrite.OwnedBy)** and **Read directory data (Directory. Read.All)**. When you save this, this will result in the following array in the **manifest**:\n \n ```json\n \"requiredResourceAccess\": [\n {\n \"resourceAppId\": \"00000002-0000-0000-c000-000000000000\",\n \"resourceAccess\": [\n {\n \"id\": \"824c81eb-e3f8-4ee6-8f6d-de7f50d565b7\",\n \"type\": \"Role\"\n },\n {\n \"id\": \"5778995a-e1bf-45b8-affa-663a9f3f4d04\",\n \"type\": \"Role\"\n }\n ]\n },\n {\n \"resourceAppId\": \"00000003-0000-0000-c000-000000000000\",\n \"resourceAccess\": [\n {\n \"id\": \"7ab1d382-f21e-4acd-a863-ba3e13f7da61\",\n \"type\": \"Role\"\n },\n {\n \"id\": \"18a4783c-866b-4cc7-a460-3d5e5662c884\",\n \"type\": \"Role\"\n }\n ]\n }\n ]\n ```\n\n7. **Very important** Request an Azure Global Administrator to hit the button **Grant admin consent for {your company}** in the **API permissions** view. This only has to be done once.\n8. Use any task of this extension.\n\n## Release notes\n\n### V4\n\n- Create preview tasks for v4 based on the [Microsoft Graph PowerShell SDK](https://learn.microsoft.com/en-us/powershell/microsoftgraph/get-started?view=graph-powershell-1.0). See for more information issue [#62](https://github.com/LockTar/AzureAdApplicationManagement/issues/62)\n- End date of secret is now in `yyyy-MM-dd` format.\n\n### V3.3\n\n- Update Az module to version 6.5.0 (hosted agent [pull request](https://github.com/actions/virtual-environments/pull/4349) is made)\n- Fix issue [#63](https://github.com/LockTar/AzureAdApplicationManagement/issues/63) of new identifier uri validation rules\n\n### V3.2\n\n- Delete v2 tasks from extension\n- Update all NPM dependencies\n- Update PowerShell Az Module to version 6.4.0 (latest and same as hosted agent)\n- Update PowerShell AzureAD Module to version 2.0.2.140 (latest)\n- Update readme with 'Contribute' section\n\n### V3.1\n\n- Mark v2 tasks as deprecated\n\n### V3\n\n- Migrated (were possible) to the new Az Modules\n- Remove AzureRm modules everywere\n- Manage AppRoles in the 'Set' task\n- Manage 'User assignment required?' in the 'Set' task\n- New 'Update' task that will only update the values that are given and will skip the rest\n- No 'New' task for v3. Can be done with the 'Set' task (was already recommended way)\n- Update documentation\n- Deprecate all v2 tasks\n- Don't set default Reply url when creating new application (not mandatory anymore by Microsoft)\n- Don't make homepage mandatory anymore (not mandatory anymore by Microsoft)\n- Change IdentifierUri to the new default format of Microsoft: api://{ApplicationId} (Argument in PowerShell is still mandatory)\n\n## FAQ\n\n### How can I manage an already created AD Application\n\nSet the [owner of the AD Application to the AD Application](#How-can-I-set-an-AD-Application-as-owner-of-an-AD-Application) that you use in the Azure Resource Manager Endpoint.\n\n### How can I set an AD Application as owner of an AD Application\n\nIn order to set an AD Application as an owner, you will need to get the **underlying Service Principal**. You can use the following script to get the Service Principal and to set it as owner.\n\n```powershell\n# Login with permissions to change applications\n# Connect-MgGraph -Scopes \"Application.ReadWrite.All\"\n\n$servicePrincipalObjectIdOfTheNewOwner = 'Your service connection service principal object id here'\n$applicationObjectIdsToAddOwnerTo = $('A', 'B', 'C', '...')\n$servicePrincipalObjectIdsToAddOwnerTo = $('A', 'B', 'C', '...')\n\n# Get the information of the new owner\n$newOwnerObject = Get-MgServicePrincipal -ServicePrincipalId $servicePrincipalObjectIdOfTheNewOwner\nWrite-Host \"New owner service principal information: Name $($newOwnerObject.DisplayName), Id $($newOwnerObject.Id)\"\n\n$newOwner = @{\n \"@odata.id\"= \"https://graph.microsoft.com/v1.0/directoryObjects/$($newOwnerObject.Id)\"\n}\n\n# Add owner to applications\nforeach ($applicationObjectIdToAddOwnerTo in $applicationObjectIdsToAddOwnerTo) {\n $application = Get-MgApplication -ApplicationId $applicationObjectIdToAddOwnerTo\n Write-Host \"Receiving owner application information: Name $($application.DisplayName), Id $($application.Id)\"\n\n $currentMembers = Get-MgApplicationOwner -ApplicationId $applicationObjectIdToAddOwnerTo\n\n if($currentMembers.Id -NotContains $servicePrincipalObjectIdOfTheNewOwner){ \n New-MgApplicationOwnerByRef -ApplicationId $applicationObjectIdToAddOwnerTo -BodyParameter $newOwner\n Write-Host \"$($servicePrincipalObjectIdOfTheNewOwner) added as owner\"\n } else {\n Write-Host \"$($servicePrincipalObjectIdOfTheNewOwner) already owner\"\n }\n}\n\n# Add owner to service principals\nforeach ($servicePrincipalObjectIdToAddOwnerTo in $servicePrincipalObjectIdsToAddOwnerTo) {\n $servicePrincipal = Get-MgServicePrincipal -ServicePrincipalId $servicePrincipalObjectIdToAddOwnerTo\n Write-Host \"Receiving owner service principal: Name $($servicePrincipal.DisplayName), Id $($servicePrincipal.Id)\"\n\n $currentMembers = Get-MgServicePrincipalOwner -ServicePrincipalId $servicePrincipalObjectIdToAddOwnerTo \n\n if($currentMembers.Id -NotContains $servicePrincipalObjectIdOfTheNewOwner){ \n New-MgServicePrincipalOwnerByRef -ServicePrincipalId $servicePrincipalObjectIdToAddOwnerTo -BodyParameter $newOwner\n Write-Host \"$($servicePrincipalObjectIdOfTheNewOwner) added as owner\"\n } else {\n Write-Host \"$($servicePrincipalObjectIdOfTheNewOwner) already owner\"\n }\n}\n```\n\n### How can I use Azure Pipelines and YAML for these tasks\n\nSee the Samples folder for a generic setup to use Azure Pipelines multi stage pipeline for build and release.\n\n## Contribute\n\n### Prepare\n\n1. Clone repository\n2. Install gulp with `npm install gulp -g`\n3. Navigate to folder `Vsts-Extension` in PowerShell version of your choice 5.1 (old PowerShell module is still being used)\n4. Install npm packages with `npm install`\n5. Install PowerShell Module `Az` (All AzureRm modules should be removed from your system as stated in the Az documentation) in PowerShell 5.1 (old PowerShell module is still being used)\n6. Install PowerShell Module `AzureAD` in PowerShell 5.1 (old PowerShell module is still being used)\n7. Optional: Install `Pester` for running PowerShell test scripts with `Install-Module -Name Pester -Force -SkipPublisherCheck` in PowerShell 5.1 (old PowerShell module is still being used)\n\n### Build\n\n1. Navigate to folder `Vsts-Extension` in PowerShell version of your choice\n2. Run gulp with following commands: \n - `gulp build` Build all tasks and set the dependencies in the tasks\n - `gulp clean` Clean all tasks\n - `gulp reset` First does a `clean` and then a `build`\n - `gulp build/clean/reset:taskname` in example `gulp build:GetAdApplication` for only building the GetAdApplication task\n\n### Test\n\n1. Navigate in PowerShell 5.1 (old PowerShell module is still being used) to `./scripts/ManageAadApplications/v3`\n2. Login into the `Az` and `AzureAD` PowerShell module with the commands `Connect-AzAccount` and `Connect-AzureAD`. Login with a test user that doesn't have a `Global Administrator` role. If you use a Global admin, the owner won't be set and some tests will fail.\n2. Run pester tests for the `ManageAadApplications` PowerShell Module. Use for this the `*.Tests.ps1` files in the `ManageAadApplications` folder. See comment at the top of the screen. In example `Invoke-Pester -Output Detailed .\\Get-AadApplication.Tests.ps1`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flocktar%2Fazureadapplicationmanagement","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flocktar%2Fazureadapplicationmanagement","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flocktar%2Fazureadapplicationmanagement/lists"}