functions/azure/aad/Assert-AzureAdAppForAppService.ps1

# <copyright file="Assert-AzureAdAppForAppService.ps1" company="Endjin Limited">
# Copyright (c) Endjin Limited. All rights reserved.
# </copyright>

<#
.SYNOPSIS
Ensures that an AzureAD application for use with an Azure AppService exists.

.DESCRIPTION
For AzureAD applications that don't already exist, one will be created with a '.azurewebsites.net'
homepage URI and be configured with the SignInAndReadProfile required access.

.PARAMETER AppName
The name of the application.

.PARAMETER AppId
For existing applications and scenarios where suitable Azure graph access is not available, the
application be specified by its ApplicationID.

.OUTPUTS
Microsoft.Azure.Commands.ActiveDirectory.PSADApplication
#>

function Assert-AzureAdAppForAppService
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory=$true)]
        [string] $AppName,

        [string] $AppId
    )

    # Check whether we have a valid AzPowerShell connection
    _EnsureAzureConnection -AzPowerShell -ErrorAction Stop
    
    if ( !(Test-AzureGraphAccess) ) {
        if (-not $AppId) {
            Write-Error "AppId for $AppName was not supplied and access to the Azure AD graph is not available. Either run this in a context where graph access is available, or pass this app id in as an argument." 
        }
        $adApp = Get-AzADApplication -ApplicationId $AppId
        Write-Host ("AppId for {0} ({1}) is {2}" -f $AppName, $AppName, $AppId)
        return $adApp
    }

    $EasyAuthCallbackTail = ".auth/login/aad/callback"

    $AppUri = "https://" + $AppName + ".azurewebsites.net/"

    # When we add APIM support, this would need to use the public-facing service root, assuming
    # we still actually want callback URI support.
    $ReplyUrls = @(($AppUri + $EasyAuthCallbackTail))
    $app = Assert-AzureAdApp -DisplayName $AppName `
                             -AppUri $AppUri `
                             -ReplyUrls $ReplyUrls

    Write-Host ("AppId for {0} ({1}) is {2}" -f $AppName, $AppName, $app.ApplicationId)

    $Principal = Get-AzAdServicePrincipal -ApplicationId $app.ApplicationId
    if (-not $Principal)
    {
        $newSp = New-AzAdServicePrincipal -ApplicationId $app.ApplicationId -DisplayName $AppName -SkipAssignment
    }

    $GraphApiAppId = "00000002-0000-0000-c000-000000000000"
    $SignInAndReadProfileScopeId = "311a71cc-e848-46a1-bdf8-97ff7156d8e6"
    $manifest = Assert-RequiredResourceAccessContains `
                                -App $app `
                                -ResourceId $GraphApiAppId `
                                -AccessRequirements @( @{Id=$SignInAndReadProfileScopeId; Type="Scope"} )

    return $app
}