Thursday, January 6, 2022


Hi everyone, after a while, I am back with one of my most favorite topic of Azure AD. I have spent lot of time in learning about application registrations within Azure AD,  a platform that offers the ability to create registrations for applications and assign permissions accordingly. 

This article assumes you are familiar with the topic. App registration is very extensive and creating apps via portal can be really repetitive and tedious task. So I will be focusing how can we create app registrations programmatically it using MS Graph APIs via PowerShell. 

I will be covering the following:

  1. Pre-requisites
  2. Create a master App registration and give API permission as “Application.ReadWrite.All”. This will be used to generate access token in step 3.
  3. How to generate access token to call Microsoft Graph Rest API.
  4. How to create Application Registration using MS Graph Rest API via PowerShell.


  • An Azure account with an active subscription.
  • Azure AD role "Application Administration" that has permission to manage applications in Azure Active Directory (Azure AD). This is not needed for running the script and if you already have master app registration with API permission as “Application.ReadWrite.All”. Next section explains how to create the master app registration. 
  • Azure AD tenant.
  • PowerShell Installed in your local to run the scripts.
  • Optionally, VS Code installed in your local computer (if you want to play around with scripts). 

Create a master App registration

First step is to create a new App Registration in Azure Portal and assign the API permissions to the app as "Application.ReadWrite.All". This application's credentials will be used to authenticate to AZURE AD and generate access token to call MS Graph rest APIs. 

To create one, Go to AZURE AD in Azure Portal, click on App registrations, click on New Registration. Enter a name, and click on Register (leaving everything else as default). I have created App Registration with display name as "AppRegAutomation". 

Once created, go to API permission, add Application.ReadWrite.All application permission. 

Next step is to create client credentials for this app registration, under certificates & secrets:

Grab the secret value as in  the above screen shot.

Also the client Id (Application Id) from the Overview link as below:

Also in Azure portal, Go to Azure AD and grab the tenant Id.

Generate Access Token

Finally, to generate token, I am using PowerShell script to invoke the OAuth token URL as below. Replace the values highlighted in red with the values above.

 $url = "<your tenant Id>/oauth2/token"
 $body = "grant_type=client_credentials&client_id=$clientId&client_secret=<your app registration secret>&resource="
$header = @{
            "Content-Type" = 'application/x-www-form-urlencoded'
$request = Invoke-WebRequest -Method 'Post' -Uri $url -Body $body -Header $header

This will generate the access token which will have permission to call MS Graph APIs for creating applications.

Create Application using Graph API

To create application, the below rest API call is invoked via PowerShell

$url = ""
$header = @{
    Authorization = "Bearer $token"
$postBody = @"

    "displayName": "$DisplayName"
    $appRegistration = Invoke-RestMethod -Method 'POST' -Uri $url -Body $postBody -ContentType 'application/json' -Headers $header


I have created a GitHub repository that has the script to create simple app registration - CreateSimpleApplicationRegistration.ps1

How the script works?

  1. CreateSimpleApplicationRegistration.ps1 will first authenticate to Azure AD (using script ConnectToAzureAD.ps1)
  2. Then it will generate JWT token (using script GenerateToken.ps1). This is needed for using MS Graph Rest APIs 
  3. Once authenticated, it will create the application.

Note: To run the script locally, you will still need to login using Connect-AzAccount using master app registration credentials. Or if you have application administrator role, you login with your credentials. But the first option is preferred, if you want to automate to run the script via pipeline. The above scripts requires ConnectToAzureAD.ps1 and GenerateToken.ps1 to be in the same folder. 

Please follow the steps below to use the repository:

  1. Go to the link:
  2. Clone the repository.
  3. Open the PowerShell terminal, go to the repository location, go to scripts folder.
  4. Edit the GenerateToken.ps1 and update your credentials i.e. tenant Id, client Id and secret.

Once done, run the following commands:

Connect to Azure account:

You can use this script code to connect using master app credentials:

$ServicePrincipalUser="<Master app registration Client Id>"
$ServicePrincipalPW="<Master app registration client secret>"
$passwd = ConvertTo-SecureString $ServicePrincipalPW -AsPlainText -Force
$pscredential = New-Object System.Management.Automation.PSCredential($ServicePrincipalUser, $passwd)
Connect-AzAccount -ServicePrincipal -Credential $pscredential -Tenant "<Your tenant Id>" 

Or if you have application administrator role, you can use command below to login in.

Connect-AzAccount -TenantId <Your tenant ID>

Run the script:

.\CreateSimpleApplicationRegistration.ps1 -appName "<Enter a display name you want to create>" 

This is the first step to create basic application. I will be writing separate blogs to update various other properties of the application like creating app roles, creating scopes, creating password credentials, setting redirect Uris, setting reply URLs, creating service principal, setting API permissions, pre-authorizing applications. 

I will be creating separate PowerShell scripts for updating each app registration property, as it keeps the code neat and simple and loosely coupled. 

Happy reading.


Post a Comment