Talking to Microsoft Graph API or how to retrieve AAD users
I want to get list of AD users so I can make an desicion for 3rd party app to remove deactivated users
Azure App Registration and Permissions
To do so we gonna need register our app which can be done from ActiveDirectory app registrations section
On a registration screen there is nothing fancy we are just give it a name and press create
After an app was created we want its client id and tenant id
Next navigate to client credentials to create new one
Make sure to copy secret value (not secret id) and keep it secret
Now it is time to give our app some permissions, navigate to API permissions section and add some
Choose Microsoft Graph
Add wanted permissions
Note that we are choosing application level permissions so they will work in background
Now we need to grant requested permissions (even so we have add them manually it is still requires contest)
It will just show an confirmation dialogue where we should press yes and if everything fine we should see green checkmars aside permissions
Microsoft Graph API
If previous septs were done correctly we should have:
tenant_id=xxx
client_id=xxx
client_secret=xxx
# https://learn.microsoft.com/en-us/graph/auth-v2-service?context=graph%2Fapi%2F1.0&view=graph-rest-1.0#token-request
token=$(curl -s -X POST "https://login.microsoftonline.com/$tenant_id/oauth2/v2.0/token" -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=$client_id&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=$client_secret&grant_type=client_credentials" | jq -r ".access_token")
# https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http
curl -s https://graph.microsoft.com/v1.0/users -H "Authorization: Bearer $token" | jq ".value"
So with this approach we may talk to Azure ActiveDirectory in our background jobs
AZ CLI Azure App
There is a way to automate application creation
BUT I was not able to setup permissions
# STEP 0: AZ CLI
echo current
az account show --query name --output tsv
echo available
az account list --query "[].{name:name}" --output tsv
echo change
az account set --subscription="mysubs"
tenant_id=$(az account show --query tenantId --output tsv)
echo "tenant_id: $tenant_id"
# STEP 1: APP REGISTRATION
# https://learn.microsoft.com/en-us/cli/azure/ad/app?view=azure-cli-latest
az ad app create --display-name mactemp
# https://learn.microsoft.com/en-us/cli/azure/ad/app?view=azure-cli-latest#az-ad-app-list
client_id=$(az ad app list --query "[?displayName=='mactemp'].{client_id:appId}[0]" --output tsv)
echo "client_id: $client_id"
# https://learn.microsoft.com/en-us/cli/azure/ad/app/credential?view=azure-cli-latest#az-ad-app-credential-reset
client_secret=$(az ad app credential reset --id $client_id --append --display-name mactemp --years 10 --query password --output tsv)
echo "client_secret: $client_secret"
# # https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-admin-consent
# az ad app permission admin-consent --id $client_id
# # https://learn.microsoft.com/en-us/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-grant
# az ad app permission grant --id $client_id --api 00000003-0000-0000-c000-000000000000
# # az ad sp show --id 00000003-0000-0000-c000-000000000000
# # az ad sp show --id 00000003-0000-0000-c000-000000000000 --query "appRoles[*].{id:id,name:value}" --output tsv
# id=$(az ad sp show --id 00000003-0000-0000-c000-000000000000 --query "appRoles[?value=='Directory.Read.All'].id" --output tsv)
# az ad app permission add --id $client_id --api 00000003-0000-0000-c000-000000000000 --api-permissions $id=Role
# id=$(az ad sp show --id 00000003-0000-0000-c000-000000000000 --query "appRoles[?value=='User.Read.All'].id" --output tsv)
# az ad app permission add --id $client_id --api 00000003-0000-0000-c000-000000000000 --api-permissions $id=Role
# az ad sp create --id $client_id
# az ad app permission grant --id $client_id --api 00000003-0000-0000-c000-000000000000 --scope Directory.Read.All
# az ad app permission grant --id $client_id --api 00000003-0000-0000-c000-000000000000 --scope User.Read.All
# STEP 2: TOKEN
# https://learn.microsoft.com/en-us/graph/auth-v2-service?context=graph%2Fapi%2F1.0&view=graph-rest-1.0#token-request
token=$(curl -X POST "https://login.microsoftonline.com/$tenant_id/oauth2/v2.0/token" -H "Content-Type: application/x-www-form-urlencoded" -d "client_id=$client_id&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=$client_secret&grant_type=client_credentials" | jq -r ".access_token")
# STEP 3: API
curl https://graph.microsoft.com/v1.0/users -H "Authorization: Bearer $token" | jq
# STEP 4: CLEANUP
az ad app delete --id $client_id