Extend 'aad app add' to support granting admin consent
Added from #3114
You can currently use the aad app add command to create Azure AD app registrations and define both delegate and application scoped permissions to be used, however, if you configure a scope that requires admin consent to be granted, you must manually log into the Azure Portal and consent manually before the permission can be used.
I propose that we add a new option to the command named --grantAdminConsent that when present, will automatically grant consent for the permissions passed in via the --apisDelegated and --apisApplication options, thus removing the manual consent step.
Original Issue
Description
Command m365 aad app add --name "AzureCP" --withSecret --apisApplication 'https://graph.microsoft.com/Group.Read.All,https://graph.microsoft.com/User.Read.All' does not work as expected
Steps to reproduce
I run the following as the global admin:
m365 login
m365 status # Output confirms I'm the top global admin
m365 aad app add --name "AzureCP" --withSecret --apisApplication 'https://graph.microsoft.com/Group.Read.All,https://graph.microsoft.com/User.Read.All'
Expected result
When I visit the app in app registration, I expect that:
- The global admin user (returned by
m365 status) has full control on the app created
- The permissions added with apisApplication have the admin consent granted (or a m365 command is available to do it)
Actual result
I visit the app in app registration (as the same user as returned by m365 status) and notice 2 problems:
- In most of the tabs I have a red banner which says "Some actions may be disabled due to your permissions. To request access, contact the application owner(s) or your administrator."
- The permissions were not granted admin consent. I didn't find a command in m365 to do it and the UI does not allow me to do it because of the error above.
Environment
This is WSL2 with Ubuntu 20.04 distro
m365 version
v3.10.0
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.2 LTS
Release: 20.04
Codename: focal
Extend 'aad app add' to support granting admin consent
Added from #3114
You can currently use the
aad app addcommand to create Azure AD app registrations and define both delegate and application scoped permissions to be used, however, if you configure a scope that requires admin consent to be granted, you must manually log into the Azure Portal and consent manually before the permission can be used.I propose that we add a new option to the command named
--grantAdminConsentthat when present, will automatically grant consent for the permissions passed in via the--apisDelegatedand--apisApplicationoptions, thus removing the manual consent step.Original Issue
Description
Command
m365 aad app add --name "AzureCP" --withSecret --apisApplication 'https://graph.microsoft.com/Group.Read.All,https://graph.microsoft.com/User.Read.All'does not work as expectedSteps to reproduce
I run the following as the global admin:
Expected result
When I visit the app in app registration, I expect that:
m365 status) has full control on the app createdActual result
I visit the app in app registration (as the same user as returned by
m365 status) and notice 2 problems:Environment
This is WSL2 with Ubuntu 20.04 distro