Create Azure AD apps with one line of code

Create Azure AD apps with one line of code

Need to automate creating Azure AD applications? Look no further. It just got easier with CLI for Microsoft 365.

Before you begin: Azure AD

When you build apps on Microsoft 365, one of the very first things that you need is an Azure AD app. Azure AD app represents your app on the Microsoft cloud. In your Azure AD app you configure what kind of app it is (desktop or web app), how users can authenticate (or if your app is an automated process and doesn't require user context at all) and which permissions your app requires in Microsoft 365 to work.

Azure AD offers many settings to support the different scenarios and you can configure them through the Azure Portal. But what if you want to standardize your configuration and share it with your dev team, put it in your CI/CD pipe or give it to your customers?

Automating creating apps with Azure CLI

To automate creating resources on Azure, you can use Azure ARM templates. ARM templates support many types of resources on Azure, except Azure AD apps. To create Azure AD apps, you would need to write a script using Azure CLI.

Azure CLI has the az ad app create command that allows you to create Azure AD apps. Using this command you can configure some basic settings of the app such as if it's multi-tenant, what reply URLs and which API permissions it has. If you want to configure additional capabilities, such as expose APIs, you need to update the existing Azure AD app. To add a secret or a certificate, you would call another command. For some things, there are no commands available in Azure CLI and you would need to call the Microsoft Graph using the az rest command yourself.

Using Azure CLI you can create and configure Azure AD apps exactly to your needs. If you have a solid understanding of Azure AD and the different settings, you will appreciate the verbosity and flexibility of Azure CLI. But what if you're looking for an easier way of creating Azure AD apps?

Easily create Azure AD apps with CLI for Microsoft 365

Many developers have a basic understanding of Azure AD. Yet, everyone needs to create Azure AD apps in one shape or another. Especially if you build apps on Microsoft 365, there is no way around it. So to help you get started, in the preview version 3.5 of CLI for Microsoft 365, we introduced a new command that allows you to easily create Azure AD apps with just one line of code.

To create an Azure AD app for a deamon app with specified Microsoft Graph permissions, you'd execute:

m365 aad app add --name 'My AAD app' --withSecret --apisApplication ','

In comparison, with Azure CLI, you write a script similar to:

$appName = "My AAD app"

"Creating AAD app $appName..."
$app = az ad app create --display-name $appName --required-resource-accesses @app-manifest.json | ConvertFrom-Json

# wait for the AAD app to be created or the script will fail later on
"Waiting for the app to be fully provisioned..."
Start-Sleep -Seconds 10

# add current user as app owner
"Adding current user as app owner..."
$userId = az ad signed-in-user show --query objectId -o tsv
az ad app owner add --id $app.appId --owner-object-id $userId

$appSecret = az ad app credential reset --id $app.appId --credential-description "Default" | ConvertFrom-Json


And that's assuming that you know the exact JSON structure of the API permissions to configure on the app, which is something like:

    "resourceAppId": "00000003-0000-0000-c000-000000000000",
    "resourceAccess": [
        "id": "e1fe6dd8-ba31-4d61-89e7-88639da4683d",
        "type": "Scope"

With the aad app add command from CLI for Microsoft 365 you can also create Azure AD apps for single-page apps:

m365 aad app add --name 'My AAD app' --platform spa --redirectUris ',http://localhost:8080' --apisDelegated ',' --implicitFlow

Or even more elaborate apps that expose an API with a custom scope:

m365 aad app add --name 'My AAD app' --uri api:// --scopeName access_as_user --scopeAdminConsentDescription 'Access as a user' --scopeAdminConsentDisplayName 'Access as a user' --scopeConsentBy adminsAndUsers

The aad app add command doesn't cover all scenarios at the moment. Initially, we focused on helping you to easily create Azure AD apps for most of the types of apps that you'd build on Microsoft 365.

Since we've just introduced this command in the v3.5 beta version of CLI for Microsoft 365, we'd love for you to give it a try and tell us what you think. Does it work? Do we miss something important? Is there anything that we should reconsider?

To see what's possible, see the command's docs. Looking forward to hear from you.


comments powered by Disqus