The scanning of Microsoft Teams messages requires registering a Custom OAuth model application in the Azure account. This KB provides the PS script that is going to be used in Step 1–Enable OAuth of the Microsoft Teams Remediation Options tech doc.
Please download the azure_ad_app_creation.ps1 script or copy the following code and save it as a .ps1 file.
param (
[Parameter(Mandatory=$true)]
[string]$CertPemPath,
[Parameter(Mandatory=$true)]
[string]$CertThumbprint,
[string]$AppName = "CSOC - Office 365 Teams Application"
)
# Connect to Microsoft Graph if not already connected
if (!(Get-MgContext)) {
Connect-MgGraph -Scopes "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"
}
try {
if (-not (Test-Path -Path $CertPemPath)) {
throw "File at path '$CertPemPath' does not exist."
}
} catch {
Write-Output "Error: $_"
Exit 1
}
# Check if an application with the specified name already exists
$app = Get-MgApplication -Filter "displayName eq '$AppName'" -ConsistencyLevel eventual -CountVariable count
if ($count -gt 0) {
Write-Output "An application with the name '$AppName' already exists. Skipping app creation."
return
}
# Function to convert PEM file to DER format
function ConvertPemToBase64Der {
param (
[string]$pemFilePath
)
# Read the PEM file and remove header/footer lines
$pemContent = Get-Content -Path $pemFilePath | Where-Object { $_ -notmatch "-----.*-----" }
$pemBinary = [Convert]::FromBase64String(($pemContent -join "`n"))
# Return Base64-encoded DER format
return [Convert]::ToBase64String($pemBinary)
}
# Convert the certificate in PEM format to Base64-encoded DER
$CertBase64 = ConvertPemToBase64Der -pemFilePath $CertPemPath
# Define required permissions (delegated and application)
$requiredPermissions = @(
# Graph permissions
@{
ResourceAppId = "00000003-0000-0000-c000-000000000000";
ResourceAccess = @(
# Chat.UpdatePolicyViolation.All
@{
Id = "7e847308-e030-4183-9899-5235d7270f58"
Type = "Role"
},
# ChannelMessage.UpdatePolicyViolation.All
@{
Id = "4d02b0cc-d90b-441f-8d82-4fb55c34d6bb"
Type = "Role"
},
# Chat.Read.All
@{
Id = "6b7d71aa-70aa-4810-a8d9-5d9fb2830017"
Type = "Role"
},
# ChannelMessage.Read.All
@{
Id = "7b2449af-6ccd-4f4d-9f78-e550c193f0d1"
Type = "Role"
},
# InformationProtectionPolicy.Read
@{
Id = "19da66cb-0fb0-4390-b071-ebc76a349482"
Type = "Role"
}
)
}
)
$keyCredentials = @(
@{
CustomKeyIdentifier = [System.Convert]::FromBase64String($CertThumbprint)
KeyId = [Guid]::NewGuid().ToString()
Type = "AsymmetricX509Cert"
Usage = "Verify"
Key = [Convert]::FromBase64String($CertBase64)
DisplayName = "AppCertificate"
}
)
# Create the Azure AD application with specified permissions
$app = New-MgApplication -DisplayName $appName -RequiredResourceAccess $requiredPermissions -KeyCredentials $keyCredentials
if ($null -eq $app) {
Write-Output "Could not able to create Azure AD app '$appName'"
Exit 1
}
# Create a Service Principal for the application
$sp = New-MgServicePrincipal -AppId $app.AppId
# Output app details
Write-Output "Azure AD Application created successfully!"
Write-Output "----------------------------------------"
Write-Output "Application ID : $($app.AppId)"
Write-Output "Display Name : $($app.DisplayName)"
Write-Output "Redirect URIs : $($app.Web.RedirectUris -join ', ')"
Write-Output "Permissions :"
foreach ($perm in $requiredPermissions) {
$resourceName = (Get-MgServicePrincipal -Filter "appId eq '$($perm.ResourceAppId)'").DisplayName
Write-Output " Resource: $resourceName"
foreach ($access in $perm.ResourceAccess) {
$permType = $access.Type
Write-Output " - Type: $permType, ID: $($access.Id)"
}
}
Write-Output "----------------------------------------"
Write-Output "Admin consent is required to enable permissions."
For additional information, please refer to the Activate the O365 Securlet tech doc.