Talking to Microsoft Graph API or how to retrieve AAD users

I want to get list of AD users so I can make an desicion for 3rd party app to remove deactivated users

Azure App Registration and Permissions

To do so we gonna need register our app which can be done from ActiveDirectory app registrations section

register new app

On a registration screen there is nothing fancy we are just give it a name and press create

registration

After an app was created we want its client id and tenant id

identifiers

Next navigate to client credentials to create new one

where to create azure app client credentials

where to create azure app client credentials

where to create azure app client credentials

Make sure to copy secret value (not secret id) and keep it secret

where to create azure app client credentials

Now it is time to give our app some permissions, navigate to API permissions section and add some

adding permissions to azure app

Choose Microsoft Graph

adding permissions to azure app

Add wanted permissions

adding permissions to azure app

Note that we are choosing application level permissions so they will work in background

Now we need to grant requested permissions (even so we have add them manually it is still requires contest)

adding permissions to azure app

It will just show an confirmation dialogue where we should press yes and if everything fine we should see green checkmars aside permissions

Microsoft Graph API

If previous septs were done correctly we should have:

tenant_id=xxx
client_id=xxx
client_secret=xxx

# https://learn.microsoft.com/en-us/graph/auth-v2-service?context=graph%2Fapi%2F1.0&view=graph-rest-1.0#token-request
token=$(curl -s -X POST "https://login.microsoftonline.com/$tenant_id/oauth2/v2.0/token" -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=$client_id&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=$client_secret&grant_type=client_credentials" | jq -r ".access_token")

# https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http
curl -s https://graph.microsoft.com/v1.0/users -H "Authorization: Bearer $token" | jq ".value"

So with this approach we may talk to Azure ActiveDirectory in our background jobs

AZ CLI Azure App

There is a way to automate application creation

BUT I was not able to setup permissions


# STEP 0: AZ CLI
echo current
az account show --query name --output tsv
echo available
az account list --query "[].{name:name}" --output tsv
echo change
az account set --subscription="mysubs"

tenant_id=$(az account show --query tenantId --output tsv)
echo "tenant_id: $tenant_id"

# STEP 1: APP REGISTRATION

# https://learn.microsoft.com/en-us/cli/azure/ad/app?view=azure-cli-latest
az ad app create --display-name mactemp

# https://learn.microsoft.com/en-us/cli/azure/ad/app?view=azure-cli-latest#az-ad-app-list
client_id=$(az ad app list --query "[?displayName=='mactemp'].{client_id:appId}[0]" --output tsv)
echo "client_id: $client_id"

# https://learn.microsoft.com/en-us/cli/azure/ad/app/credential?view=azure-cli-latest#az-ad-app-credential-reset
client_secret=$(az ad app credential reset --id $client_id --append --display-name mactemp --years 10 --query password --output tsv)
echo "client_secret: $client_secret"



# # https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-admin-consent
# az ad app permission admin-consent --id $client_id

# # https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-grant
# az ad app permission grant --id $client_id --api 00000003-0000-0000-c000-000000000000

# # az ad sp show --id 00000003-0000-0000-c000-000000000000
# # az ad sp show --id 00000003-0000-0000-c000-000000000000 --query "appRoles[*].{id:id,name:value}" --output tsv
# id=$(az ad sp show --id 00000003-0000-0000-c000-000000000000 --query "appRoles[?value=='Directory.Read.All'].id" --output tsv)
# az ad app permission add --id $client_id --api 00000003-0000-0000-c000-000000000000 --api-permissions $id=Role
# id=$(az ad sp show --id 00000003-0000-0000-c000-000000000000 --query "appRoles[?value=='User.Read.All'].id" --output tsv)
# az ad app permission add --id $client_id --api 00000003-0000-0000-c000-000000000000 --api-permissions $id=Role

# az ad sp create --id $client_id
# az ad app permission grant --id $client_id --api 00000003-0000-0000-c000-000000000000 --scope Directory.Read.All
# az ad app permission grant --id $client_id --api 00000003-0000-0000-c000-000000000000 --scope User.Read.All


# STEP 2: TOKEN

# https://learn.microsoft.com/en-us/graph/auth-v2-service?context=graph%2Fapi%2F1.0&view=graph-rest-1.0#token-request
token=$(curl -X POST "https://login.microsoftonline.com/$tenant_id/oauth2/v2.0/token" -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=$client_id&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=$client_secret&grant_type=client_credentials" | jq -r ".access_token")

# STEP 3: API
curl https://graph.microsoft.com/v1.0/users -H "Authorization: Bearer $token" | jq

# STEP 4: CLEANUP
az ad app delete --id $client_id