Skip to content

Commit 0bfbc65

Browse files
asudbringasudbring
committed
command fixes
1 parent acd7812 commit 0bfbc65

File tree

1 file changed

+22
-1
lines changed

1 file changed

+22
-1
lines changed

articles/virtual-network/create-peering-different-subscriptions-service-principal.md

Lines changed: 22 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -254,6 +254,27 @@ Create **spn1-peer-vnet** with a scope to the virtual network created in the pre
254254
1. The service principal must have **User.Read.All** permissions to the directory. Use [Get-AzureADApplication](/powershell/module/azuread/get-azureadapplication), [Set-AzureADApplication](/powershell/module/azuread/set-azureadapplication), and [New-AzureADUserAppRoleAssignment](/powershell/module/azuread/new-azureaduserapproleassignment) to add the Microsoft Graph permissions of **User.Read.all** to the service principal.
255255
256256
```azurepowershell
257+
$appId1 = Get-AzureADApplication -Filter "DisplayName eq 'spn-1-peer-vnet'" | Select-Object ObjectId
258+
259+
# Define the permission
260+
$apiPermission = New-Object -TypeName Microsoft.Open.AzureAD.Model.RequiredResourceAccess
261+
$apiPermission.ResourceAppId = "00000003-0000-0000-c000-000000000000"
262+
$resourceAccess = New-Object -TypeName Microsoft.Open.AzureAD.Model.ResourceAccess -Property @{ Id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"; Type = "Scope" }
263+
$apiPermission.ResourceAccess = $resourceAccess
264+
265+
# Get the application
266+
$app = Get-AzureADApplication -ObjectId $appid1.ObjectId
267+
268+
# Add the permission
269+
$app.RequiredResourceAccess.Add($apiPermission)
270+
271+
# Update the application
272+
Set-AzureADApplication -ObjectId $appid1.ObjectId -RequiredResourceAccess $app.RequiredResourceAccess
273+
274+
275+
276+
277+
257278
# Add permission
258279
259280
$apiPermission = New-Object -TypeName 'Microsoft.Open.AzureAD.Model.RequiredResourceAccess'
@@ -290,7 +311,7 @@ Create **spn1-peer-vnet** with a scope to the virtual network created in the pre
290311
$userReadPermission = $sp.AppRoles | Where-Object {$_.Value -eq 'User.Read.All'}
291312
292313
# Grant the permission
293-
New-AzureADUserAppRoleAssignment -ObjectId $appid1 -PrincipalId $appid1 -ResourceId $sp.ObjectId -Id $userReadPermission.Id
314+
New-AzureADUserAppRoleAssignment -ObjectId $app -PrincipalId $app -ResourceId $sp.ObjectId -Id $userReadPermission.Id
294315
```
295316
296317
---

0 commit comments

Comments
 (0)