Add "Update-Application -permissions"

EmilienCourt · EmilienCourt · commit f0c53f0f12f6 · 2025-08-28T15:46:19.000+02:00
diff --git a/DFIR-O365RC/Manage-Applications.ps1 b/DFIR-O365RC/Manage-Applications.ps1
@@ -295,6 +295,9 @@ function Update-Application {
     PS C:\>$certificateb64 = [Convert]::ToBase64String([IO.File]::ReadAllBytes("example.der"))
     PS C:\>Update-Application -certificateb64 $certificateb64 -organizations -subscriptions
     Update the application to add a certificate ("example.der") and access to Azure DevOps organizations and Azure Resource Manager subscriptions.
+    
+    PS C:\>Update-Application -permissions
+    Update the application to add required Entra ID permissions.
     #>
     
     param (
@@ -304,6 +307,8 @@ function Update-Application {
         [Switch]$subscriptions,
         [Parameter(Mandatory = $false)]
         [Switch]$organizations,
+        [Parameter(Mandatory = $false)]
+        [Switch]$permissions,
         [String]$logFile = "Update-Application.log"
     )
 
@@ -368,6 +373,13 @@ function Update-Application {
                     if ($organizations){
                         Add-OrganizationPermissions -servicePrincipalId $alreadyExistingServicePrincipalCheck.Id -logFile $logFile
                     }
+                    if ($permissions){
+                        $graphRequiredAccess = Get-EntraIDPermissions -logFile $logFile
+                        Write-Host "Updating permissions for $applicationName"
+                        "Updating permissions for $applicationName" | Write-Log -LogPath $logFile
+                        Update-MgApplication -ApplicationId $alreadyExistingAppCheck.Id -RequiredResourceAccess $graphRequiredAccess
+                        Wait-AdminConsent -appId $alreadyExistingAppCheck.AppId -servicePrincipalId $alreadyExistingServicePrincipalCheck.Id -logFile $logFile
+                    }
                 }
             }
         }
diff --git a/README.md b/README.md
@@ -183,6 +183,10 @@ Once the application is created, you can still, using the `Update-Application` c
 
   `Update-Application -organizations`
 
+- You can update the permissions of the application, which is especially useful if you have an old application and the permissions have been updated since you created it:
+
+  `Update-Application -permissions`
+
 ### Removing the application
 
 Once you are done with the log collection you can delete the application using the `Remove-Application` cmdlet from the module.

Original file line number	Diff line number	Diff line change
`@@ -295,6 +295,9 @@ function Update-Application {`
`295`	`295`	`PS C:\>$certificateb64 = [Convert]::ToBase64String([IO.File]::ReadAllBytes("example.der"))`
`296`	`296`	`PS C:\>Update-Application -certificateb64 $certificateb64 -organizations -subscriptions`
`297`	`297`	`Update the application to add a certificate ("example.der") and access to Azure DevOps organizations and Azure Resource Manager subscriptions.`
	`298`	`+`
	`299`	`+ PS C:\>Update-Application -permissions`
	`300`	`+ Update the application to add required Entra ID permissions.`
`298`	`301`	`#>`
`299`	`302`
`300`	`303`	`param (`
`@@ -304,6 +307,8 @@ function Update-Application {`
`304`	`307`	`[Switch]$subscriptions,`
`305`	`308`	`[Parameter(Mandatory = $false)]`
`306`	`309`	`[Switch]$organizations,`
	`310`	`+ [Parameter(Mandatory = $false)]`
	`311`	`+ [Switch]$permissions,`
`307`	`312`	`[String]$logFile = "Update-Application.log"`
`308`	`313`	`)`
`309`	`314`
`@@ -368,6 +373,13 @@ function Update-Application {`
`368`	`373`	`if ($organizations){`
`369`	`374`	`Add-OrganizationPermissions -servicePrincipalId $alreadyExistingServicePrincipalCheck.Id -logFile $logFile`
`370`	`375`	`}`
	`376`	`+ if ($permissions){`
	`377`	`+ $graphRequiredAccess = Get-EntraIDPermissions -logFile $logFile`
	`378`	`+ Write-Host "Updating permissions for $applicationName"`
	`379`	`+ "Updating permissions for $applicationName" \| Write-Log -LogPath $logFile`
	`380`	`+ Update-MgApplication -ApplicationId $alreadyExistingAppCheck.Id -RequiredResourceAccess $graphRequiredAccess`
	`381`	`+ Wait-AdminConsent -appId $alreadyExistingAppCheck.AppId -servicePrincipalId $alreadyExistingServicePrincipalCheck.Id -logFile $logFile`
	`382`	`+ }`
`371`	`383`	`}`
`372`	`384`	`}`
`373`	`385`	`}`