Friday, January 7, 2022



Hello everyone, this is my Part 3 blog of Azure AD App Registration.  In my previous posts, I talked about following:

 In Part 1, I talked about creating app registration. 

Then in Part 2, I talked about creating app roles. 

In this post will be showing how to create scopes programmatically via PowerShell using MS Graph APIs.

By configuring an application to expose a Web API to client apps through scopes, you can provide permissions-based access to its resources to authorized users and client apps that access your API. 

The code in a client application requests permission to perform operations defined by your web API by passing an access token along with its requests to the protected resource (the web API). Your web API then performs the requested operation only if the access token it receives contains the scopes required for the operation.

This diagram from Microsoft documentation shows how Web API registration exposes scope and permissions are added to the client app's registration:

Understanding of Azure AD app registration is a pre-requisite for this, I recommend going through this documentation link, to get familiar with it. 

The focus of this blog is only to show how to create scopes programmatically.

For creating a scope you will need to do the following:

Set Application ID URI 

Application ID URI acts as the prefix for the scopes that you will reference in client code which is your API. It must be globally unique, I will prefer to use the default syntax as api://<application-client-api>

Specifying scope attributes 

As in the "Add a scope pane" below:

For programmatically creating scopes, I have created a two scripts in my GitHub repository:

SetApplicationUri.ps1 - This is for setting the Application ID URI.

CreateScopes.ps1 - This is for creating scopes programmatically.

My GitHub repository link is:

How the script works?

  1. CreateScopes.ps1 will first authenticate to Azure AD (using script ConnectToAzureAD.ps1)
  2. Then it will generate access token (using script GenerateToken.ps1). This token is used for calling MS Graph Rest API URL for updating the Application ID URI.
  3. It calls SetApplicationUri.ps1 to set the Application ID URI.
  4. Finally it will create the scopes.

CreateScopes.ps1 requires ConnectToAzureAD.ps1, GenerateToken.ps1, SetApplicationUri.ps1 to be in the same folder.

Before using script:

If you have not read my previous post, please click here to follow the sections for:

  • Pre-requisites
  • Create master App Registration
  • Generate Access Token

If you have already done that, you do not need to repeat the above steps.

How to run the script?

Please follow the steps below to use the repository:

  1. Go to the link:
  2. Clone the repository.
  3. Open the powershell terminal, go to the repository location, go to scripts folder.
  4. Edit the GenerateToken.ps1 and update your credentials i.e. tenant Id, client Id and secret.
Once done, run the following commands:

Connect to Azure account:

You can use this script code to connect using master app credentials:

$ServicePrincipalUser="<Master app registration Client Id>"
$ServicePrincipalPW="<Master app registration client secret>"
$passwd = ConvertTo-SecureString $ServicePrincipalPW -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential($ServicePrincipalUser, $passwd)
Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant "<Your tenant Id>" 

Or if you have application administrator role, you can use command below to login in.

Connect-AzAccount -TenantId <Your tenant ID>

Run the script:

.\CreateScopes.ps1 -appName "<Enter a display name of existing app reg>" -scopesList "<list of scopes to be created separated by comma"

For e.g. .\CreateScopes.ps1 -appName "TestPujah-1" -scopesList "Employee.Read,Employee.Write"

Optional Pre-Authorize Client Apps

To suppress prompting for consent by users of your app to the scopes you've defined, optionally, you can pre-authorize the client application to access your web API.

There is a PreAuthorizeClientApps.ps1 script that will authorize client applications programmatically.

This scripts assumes you have Web App registration and Client app registration already created.

You will need to pass arguments as Web App registration name, Client App registration name and the scope. 

For e.g.

.\PreAuthorizeClientApps.ps1 -webAppName "TestPujah-1" -clientAppName "test3" -scope "Employee.Read"

I will leave it to you to test this out, the process of executing the script is same as above.

All the scripts are self explanatory and are tested end to end.

Please feel to reach me, if you face any issue. Happy Reading.


Post a Comment