How to Set Azure App scope after creating the new App using Azure CLI

Question

I am trying to create an app and try to create scope for that, I am able to create the app but I am unable to create the scope. I already tired to search for the solution, I found this link but it seems like it's outdated.

Here is the script for the creating of the app:

$appId = az ad app create --display-name "webapp - dev" --sign-in-audience "AzureADMyOrg" --required-resource-accesses "./appregistration/script.json" --query appId -o tsv

I have a file called permissions.json for the scope.

[
{
    "adminConsentDescription": "Allow the app to access Api endpoints",
    "adminConsentDisplayName": "webApi",
    "id": null,
    "isEnabled": true,
    "type": "Admin",
    "userConsentDescription": null,
    "userConsentDisplayName": null,
    "value": "webApi"
}

]

I am trying to get data from this file and creating a scope. here's a script for that.

 $json = Get-Content './appregistration/permissions.json' | Out-String | ConvertFrom-Json

foreach ($element in $json)
{$element.id = [guid]::NewGuid() }
 $apiScopeJson = @{oauth2PermissionScopes = $json}
 az ad app update --id $appId --set api=$apiScopeJson

I am getting this error message.

Property api in payload has a value that does not match schema.

Answer 1

I used similar code by @A2AdminGuy from same link you mentioned in the question and able to add new scope to application successfully:

$AppId = az ad app create --display-name "webapp - dev" --sign-in-audience "AzureADMyOrg" --query appId -o tsv
Start-Sleep -Seconds 60
$scopeGUID = [guid]::NewGuid()
$permission = @{
    adminConsentDescription="Allow the app to access Api endpoints"
    adminConsentDisplayName="webApi" 
    id="$scopeGUID"
    isEnabled=$true
    type="Admin"
    userConsentDescription="null"
    userConsentDisplayName="null"
    value="webApi"
}
$AppObjId = (az ad app show --id $AppId | ConvertFrom-JSON).id

$appIduri = az ad app update --id $AppObjId --identifier-uris api://$AppId 


$accesstoken = (Get-AzAccessToken -Resource "https://graph.microsoft.com/").Token
$header = @{
    'Content-Type' = 'application/json'
    'Authorization' = 'Bearer ' + $accesstoken
}
$bodyaccess = @{
    'api' = @{
        'oauth2PermissionScopes' = @($permission)
    }
}|ConvertTo-Json -d 3

Invoke-RestMethod -Method Patch -Headers $header -Uri "https://graph.microsoft.com/v1.0/applications/$AppObjId" -Body $bodyaccess

PowerShell Output:

When I checked the same in Portal, new application created with new scope as below: