# Claude-MSP-Access - Update App Registration with Combined CIPP + Investigation Permissions # App ID: fabb3421-8b34-484b-bc17-e46de9703418 # Partner Tenant: ce61461e-81a0-4c84-bb4a-7b354a9a356d # # This script updates the app registration to include: # - All CIPP SAM required permissions (Graph, Exchange, SharePoint, Intune, PowerBI, Partner Center) # - Claude investigation extras (Mail.ReadWrite, SecurityEvents.ReadWrite.All, etc.) # # After running this, the admin consent URL will grant everything in one click. $ErrorActionPreference = "Stop" $tenantId = "ce61461e-81a0-4c84-bb4a-7b354a9a356d" $appId = "fabb3421-8b34-484b-bc17-e46de9703418" Write-Output "=========================================" Write-Output " Claude-MSP-Access - Permission Update" Write-Output " $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" Write-Output "=========================================" # --- STEP 1: Connect to Graph --- Write-Output "`n[STEP 1] Connecting to Microsoft Graph..." Import-Module Microsoft.Graph.Authentication Import-Module Microsoft.Graph.Applications Connect-MgGraph -TenantId $tenantId -Scopes 'Application.ReadWrite.All' -NoWelcome Write-Output "[OK] Connected to Graph" # --- STEP 2: Get current app registration --- Write-Output "`n[STEP 2] Reading current app registration..." $app = Get-MgApplication -Filter "appId eq '$appId'" if (-not $app) { Write-Output "[ERROR] App not found: $appId" exit 1 } Write-Output "[OK] Found: $($app.DisplayName) (Object ID: $($app.Id))" $currentPerms = ($app.RequiredResourceAccess | ForEach-Object { $_.ResourceAccess }).Count Write-Output "[INFO] Current permission count: $currentPerms" # --- STEP 3: Load combined manifest --- Write-Output "`n[STEP 3] Loading combined permission manifest..." $manifestPath = Join-Path $PSScriptRoot "claude-msp-combined-manifest.json" $manifest = Get-Content $manifestPath -Raw | ConvertFrom-Json # Build the requiredResourceAccess array $resourceAccess = @() foreach ($resource in $manifest.requiredResourceAccess) { $accessList = @() foreach ($access in $resource.resourceAccess) { $accessList += @{ Id = $access.id Type = $access.type } } $resourceAccess += @{ ResourceAppId = $resource.resourceAppId ResourceAccess = $accessList } } $newPerms = ($manifest.requiredResourceAccess | ForEach-Object { $_.resourceAccess }).Count Write-Output "[INFO] New permission count: $newPerms" # --- STEP 4: Update app registration --- Write-Output "`n[STEP 4] Updating app registration..." Update-MgApplication -ApplicationId $app.Id -RequiredResourceAccess $resourceAccess Write-Output "[OK] App registration updated with combined permissions" # --- STEP 5: Verify --- Write-Output "`n[STEP 5] Verifying update..." $updated = Get-MgApplication -ApplicationId $app.Id $updatedPerms = ($updated.RequiredResourceAccess | ForEach-Object { $_.ResourceAccess }).Count Write-Output "[OK] Verified: $updatedPerms permissions across $($updated.RequiredResourceAccess.Count) resource APIs" # --- STEP 6: Show admin consent URL --- Write-Output "`n[STEP 6] Admin consent URL (use this to onboard tenants):" Write-Output "" Write-Output " https://login.microsoftonline.com/common/adminconsent?client_id=$appId&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient" Write-Output "" Write-Output "[INFO] This single URL now grants ALL permissions:" Write-Output " - Microsoft Graph (application + delegated)" Write-Output " - Exchange Online (ManageAsApp + Calendars + Mailbox)" Write-Output " - SharePoint Online (FullControl)" Write-Output " - Intune (user_impersonation)" Write-Output " - PowerBI (Vulnerability.Read)" Write-Output " - Partner Center (user_impersonation)" Write-Output " - Office Management API (ActivityFeed.Read)" Write-Output " - Claude investigation extras (Mail.ReadWrite, SecurityEvents.ReadWrite.All)" Write-Output "`n=========================================" Write-Output " UPDATE COMPLETE" Write-Output " $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')" Write-Output "=========================================" Disconnect-MgGraph