functions/azure/aad/Assert-AzureAdApiPermissions.ps1

# <copyright file="Assert-AzureAdApiPermissions.ps1" company="Endjin Limited">
# Copyright (c) Endjin Limited. All rights reserved.
# </copyright>

<#
.SYNOPSIS
Ensures that an AAD application has the specified API permissions.

.DESCRIPTION
Supports assigning API permissions (by name) to an AAD application - both 'Application' and 'Delegated' permissions.

NOTE: This function currently supports assigning permissions to the 'Microsoft Graph' and the now deprecated 'Azure Graph' APIs.

.PARAMETER ApiName
The name of the API - 'AzureGraph' or 'MSGraph'.

.PARAMETER ApplicationPermissions
The list of 'Application' (or 'AppRole') permissions to be assigned. (e.g. 'Application.ReadWrite.OwnedBy')

.PARAMETER DelegatedPermissions
The list of 'Application' (or 'OAuth') permissions to be assigned. (e.g. 'Application.Read.All')

.PARAMETER ApplicationId
The ApplicationID or ClientId of the AAD identity who requires the assignments.

#>


function Assert-AzureAdApiPermissions
{
    [CmdletBinding(SupportsShouldProcess)]
    param (
        [Parameter(Mandatory=$true)]
        [ValidateSet("AzureGraph","MSGraph")]
        [string] $ApiName,

        [Parameter()]
        [string[]] $ApplicationPermissions,

        [Parameter()]
        [string[]] $DelegatedPermissions,

        [Parameter(Mandatory=$true)]
        [guid] $ApplicationId
    )

    # Check whether we have a valid AzPowerShell connection, but no subscription-level access is required
    _EnsureAzureConnection -AzPowerShell -TenantOnly -ErrorAction Stop | Out-Null
    
    [hashtable[]] $accessRequirements = @()
    foreach ($permission in $ApplicationPermissions) {
        $permisssionId = _getApiPermissionId -ApiName $ApiName -Permission $permission -Type Application
        $accessRequirements += @{Id=$permisssionId; Type="Role"}
    }

    foreach ($permission in $DelegatedPermissions) {
        $permisssionId = _getApiPermissionId -ApiName $ApiName -Permission $permission -Type Delegated
        $accessRequirements += @{Id=$permisssionId; Type="Scope"}
    }

    $app = Get-AzADApplication -ApplicationId $ApplicationId
    if ($PSCmdlet.ShouldProcess($ApplicationId)) {
        $appManifest = Assert-RequiredResourceAccessContains `
                            -App $app `
                            -ResourceId (_getApiId -ApiName $ApiName) `
                            -AccessRequirements $accessRequirements
    }
}