Corvus.Deployment

0.4.0-beta0001

functions/azure/aad/Assert-AzureAdAppForAppService.ps1

                                # <copyright file="Assert-AzureAdAppForAppService.ps1" company="Endjin Limited">

# Copyright (c) Endjin Limited. All rights reserved.

# </copyright>

<#

.SYNOPSIS

Ensures that an AzureAD application for use with an Azure AppService exists.

.DESCRIPTION

For AzureAD applications that don't already exist, one will be created with a '.azurewebsites.net'

homepage URI and be configured with the SignInAndReadProfile required access.

.PARAMETER AppName

The name of the application.

.PARAMETER AppId

For existing applications and scenarios where suitable Azure graph access is not available, the

application be specified by its ApplicationID.

.OUTPUTS

Microsoft.Azure.Commands.ActiveDirectory.PSADApplication

#>

function Assert-AzureAdAppForAppService

{

    [CmdletBinding()]

    param

    (

        [Parameter(Mandatory=$true)]

        [string] $AppName,

        [string] $AppId

    )

    # Check whether we have a valid AzPowerShell connection

    _EnsureAzureConnection -AzPowerShell -ErrorAction Stop

    if ( !(Test-AzureGraphAccess) ) {

        if (-not $AppId) {

            Write-Error "AppId for $AppName was not supplied and access to the Azure AD graph is not available. Either run this in a context where graph access is available, or pass this app id in as an argument." 

        }

        $adApp = Get-AzADApplication -ApplicationId $AppId

        Write-Host ("AppId for {0} ({1}) is {2}" -f $AppName, $AppName, $AppId)

        return $adApp

    }

    $EasyAuthCallbackTail = ".auth/login/aad/callback"

    $AppUri = "https://" + $AppName + ".azurewebsites.net/"

    # When we add APIM support, this would need to use the public-facing service root, assuming

    # we still actually want callback URI support.

    $ReplyUrls = @(($AppUri + $EasyAuthCallbackTail))

    $app = Assert-AzureAdApp -DisplayName $AppName `

                             -AppUri $AppUri `

                             -ReplyUrls $ReplyUrls

    Write-Host ("AppId for {0} ({1}) is {2}" -f $AppName, $AppName, $app.ApplicationId)

    $Principal = Get-AzAdServicePrincipal -ApplicationId $app.ApplicationId

    if (-not $Principal)

    {

        $newSp = New-AzAdServicePrincipal -ApplicationId $app.ApplicationId -DisplayName $AppName -SkipAssignment

    }

    $GraphApiAppId = "00000002-0000-0000-c000-000000000000"

    $SignInAndReadProfileScopeId = "311a71cc-e848-46a1-bdf8-97ff7156d8e6"

    $manifest = Assert-RequiredResourceAccessContains `

                                -App $app `

                                -ResourceId $GraphApiAppId `

                                -AccessRequirements @( @{Id=$SignInAndReadProfileScopeId; Type="Scope"} )

    return $app

}