Note: The implementation of this feature will require advanced technical skills and administrative access. Please consult a member of your IT team with administrative privileges to carry out the instructions detailed below.
Step 1: Install PowerShell
• If you do not have PowerShell installed on your system, follow these instructions to download and install it: Install PowerShell.
Step 2: Install the Microsoft Graph PowerShell SDK
• The Microsoft Graph PowerShell SDK is required to interact with Microsoft Graph via PowerShell. Follow the installation guide here: Install Microsoft Graph PowerShell SDK.
Step 3: Run the PowerShell Script
• Ensure that the person executing the script has administrative permissions within your Microsoft Azure environment, specifically the Application.ReadWrite.All and AppRoleAssignment.ReadWrite.All permissions. These permissions are necessary to manage applications and their roles within your organization.
• Save the script provided below to a file named TeamflectPermissions.ps1.
• Open PowerShell, navigate to the directory containing the script and run it by typing: ./TeamflectPermissions.ps1
Script Content
$appDisplayName = "Teamflect"
# Connect to Microsoft Graph
Connect-MgGraph -Scopes "Application.ReadWrite.All AppRoleAssignment.ReadWrite.All"
# Retrieve the client app's service principal and the Microsoft Graph service principal
$appServicePrincipal = Get-MgServicePrincipal -Filter "displayName eq '$($appDisplayName)'"
$graphServicePrincipal = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'"
# Add the app role assignment
$customSecAssignment = $graphServicePrincipal.AppRoles | Where-Object { $_.Value -eq "CustomSecAttributeAssignment.Read.All" }
$customSecDefinition = $graphServicePrincipal.AppRoles | Where-Object { $_.Value -eq "CustomSecAttributeDefinition.Read.All" }
# check if the app role exists
if (-not $customSecAssignment) { Write-Host "CustomSecAttributeAssignment.Read.All app role not found" return }
if (-not $customSecDefinition) { Write-Host "CustomSecAttributeDefinition.Read.All app role not found" return }
# add the app role assignment
$params = @{
"PrincipalId" = $appServicePrincipal.Id
"ResourceId" = $graphServicePrincipal.Id
"AppRoleId" = $customSecAssignment.Id
}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $appServicePrincipal.Id -BodyParameter $params |
Format-List Id, AppRoleId, CreatedDateTime, PrincipalDisplayName, PrincipalId, PrincipalType, ResourceDisplayName
$params = @{
"PrincipalId" = $appServicePrincipal.Id
"ResourceId" = $graphServicePrincipal.Id
"AppRoleId" = $customSecDefinition.Id
}
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $appServicePrincipal.Id -BodyParameter $params |
Format-List Id, AppRoleId, CreatedDateTime, PrincipalDisplayName, PrincipalId, PrincipalType, ResourceDisplayName
Additional Notes
• This script checks for the existence of the specified application and the Microsoft Graph service principal before attempting to assign roles. It ensures that the necessary permissions are properly assigned only if both entities are correctly identified in your Azure environment.
• The output will detail the result of each role assignment, helping you confirm that the necessary permissions are set up correctly.
Note: To learn more about how to manage custom Entra ID attributes in Teamflect, please visit this article here.
For any technical assistance, please contact your IT support or refer to the Microsoft Graph documentation for further details on permissions and SDK usage.