Graph management

Step 1: new registration

Select “App registrations” > “New registration”

Step 2: application name

Give your application a name (i.e., CoreView Integration) and click “Register” .

Step 3: copy and store

You have now registered the application. Please copy and store the application ID. You will need to upload this information to CoreView’s portal at a later time.

Step 4: add permission

From the registered application, click “API permissions” and then “Add a permission”. 

Step 5: select the service

Select “Microsoft Graph” from the list of services.

Step 6: select permissions

Select t“Application permissions” and add the following permissions:

User.ReadWrite.All
Directory.ReadWrite.All
Group.ReadWrite.All

• If you need to perform the action “Remove Channel User”, the following permission is required:

 ChannelMember.ReadWriteAll

• If you need to manage authentication methods for users, the following permission is required:

UserAuthenticationMethod.ReadWrite.All

• If you need to manage Entra ID applications, the following permission is required: 

Application.ReadWrite.All”.

• If you need to manage MFA (enable/disable) for your users, the following permission is required:

Policy.ReadWrite.AuthenticationMethod

Step 7: grant admin consent

Once you have added the permissions, check the box “Grant admin consent for…”.

Step 8: create new secret

Select “Certificates & secrets”, then “New client secret”.

Step 9: add description and expiration date

Enter a description and expiration date for the client secret, then select “Add”. We suggest an expiration date of 18 months from the creation of the secret in order to avoid having to go through the creation and update of the secret too often.   

Step 10: add description and expiration date

You have now created your secret. Copy the value of the secret immediately after creation, as it will be encrypted the moment you leave the page.

1. Copy the following code and paste it into a file named “RegisterAzureAdApp.ps1”:

function Register-AzureADApp{
            [CmdletBinding()]
            param(
                [Parameter(Mandatory, HelpMessage="Display name for this application", Position=0)][string]$Name,
                [Parameter(Mandatory,ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, HelpMessage="List of permission.", Position=1)][string[]]$permissions,
                [Parameter(HelpMessage="Expires Client Secret in the following format: MM/dd/yyyy", Position=2)][string]$ExpiresClientSecret,
                [Parameter(HelpMessage="The URIs we will accept as destinations when returning authentication responses (tokens) after successfully authenticating or signing out users", Position=3)][string]$UrlRedirect
            )
            $summary = @{}
            Connect-AzureAD | Out-Null
            if( [string]::IsNullOrWhiteSpace( $ExpiresClientSecret)){    
                $ExpiresClientSecret = Get-Date -Date (((Get-date).AddYears(1))) -Format "MM/dd/yyyy"
            }
            $tenantId = (Get-AzureADTenantDetail).objectId
            $app = Get-AzureADApplication -Filter "DisplayName eq '$Name'"
            if( $null -ne $app){
                Write-Warning -Message "App: $Name already exists"
            }
           
            try{
                $endDate = [datetime]::ParseExact($ExpiresClientSecret, 'MM/dd/yyyy', [CultureInfo]::InvariantCulture)
                if( [string]::IsNullOrWhiteSpace( $UrlRedirect)){
                    $UrlRedirect = "https://www.coreview.com/"
                }
                #new application
                $newApp = New-AzureADApplication -DisplayName $Name -ReplyUrls $UrlRedirect
                $summary.Add( "Application (client) ID", $newApp.AppId) > $null
                #add owner
                $currentUser = (Get-AzureADUser -ObjectId (Get-AzureADCurrentSessionInfo).Account.Id)
                Add-AzureADApplicationOwner -ObjectId $newApp.ObjectId -RefObjectId $currentUser.ObjectId
                #generate a secret key
                $appPassword = New-AzureADApplicationPasswordCredential -ObjectId $newApp.ObjectId -CustomKeyIdentifier "AppAccessKey" -EndDate $endDate
                $summary.Add("Secret key value", $appPassword.value) > $null
                $summary.Add("Url granting consent", [string]::Format("https://login.microsoftonline.com/{0}/adminconsent?client_id={1}", $tenantId, $newApp.AppId)) > $null
                #define API permissions
                $graphSP = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
                $graphPermissions = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess
                $graphPermissions.ResourceAppId = $graphSP.AppId
                $graphPermissions.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]
                foreach( $permission in $permissions){
                    $checkPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $permission}
                    if( $checkPermission){
                        $resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess
                        $resourceAccess.Type = "Role"
                        $resourceAccess.Id = $checkPermission.Id
                        $graphPermissions.ResourceAccess.Add($resourceAccess) > $null
                    }
                    else{
                        Write-Warning "$permission not found"
                    }
                }
                if( $graphPermissions.ResourceAccess.Count -gt 0){
                    Set-AzureADApplication -ObjectId $newApp.ObjectId -RequiredResourceAccess $graphPermissions
                }
            }
            catch{
                Write-Error -Message $_.Exception.Message -ErrorAction Stop
            }
            finally{
                Disconnect-AzureAD
            }
            $summary | Format-Table -AutoSize | Out-String -Width 1200
        }

2. Run a command as administrator 
3. Type PowerShell
4. Make sure that you have installed the module Azure AD, otherwise run the following:

Install-Module -Name AzureAD -RequiredVersion 2.0.2.137 -Confirm:$false -Scope AllUsers -Force 

5. Retrieve the data as below using the location of the folder where it was copied:

. "path\RegisterAzureAdApp.ps1"

6. Call the function as below: 

Register-AzureadApp -Name "CoreView Management Integration" -permissions "User.ReadWrite.All", "Directory.ReadWrite.All", "Group.ReadWrite.All"

If you need to perform the action Remove Channel User it is required also the additional permission:  

"ChannelMember.ReadWrite.All"

If you need to manage authentication methods for users, it is required the additional permission: 

"UserAuthenticationMethod.ReadWrite.All"

If you need to manage membership for role assignable groups, it is required the additional permission:

"RoleManagement.ReadWrite.Directory"

If you need to manage application permissions, it is required the additional permission:

AppRoleAssignment.ReadWrite.All

7. By default, the expiration date of the Client Secret is one year from the moment the script is executed. We suggest adding the parameter to extend the expiration date to 18 months.

ExpiresClientSecret "12/31/2023"

8. The script will generate the Client ID, the Client Secret, and the URL that you need to use to provide the consent on Azure AD.

9. You can add the below optional parameter

-Urlredirect "myurl"

The URLs will be accepted as destinations when returning authentication responses (tokens) after successfully authenticating or signing out users. If not specified, by default it will be set to: https://coreview.com

10. Copy and paste the URL into a web browser and provide the consent using a user with global admin rights.