graph: support admin consent

src/command_modules/azure-cli-role/azure/cli/command_modules/role/_help.py

@@ -200,11 +200,17 @@
 """
 helps['ad app permission grant'] = """
     type: command
-    short-summary: Grant the app an API permission
+    short-summary: Grant the app an API Delegated permissions
+    long-summary: for Application permissions, please use "ad app permission admin-consent"
     examples:
         - name: Grant a native application with permissions to access an existing API with TTL of 2 years
           text: az ad app permission grant --id e042ec79-34cd-498f-9d9f-1234234 --api a0322f79-57df-498f-9d9f-12678 --expires 2
 """
+helps['ad app permission admin-consent'] = """
+    type: command
+    short-summary: grant Application & Delegated permissions through admin-consent.
+    long-summary: you must login as a directory administrator
+"""
 helps['ad app permission list'] = """
     type: command
     short-summary: List API permissions the application has requested

src/command_modules/azure-cli-role/azure/cli/command_modules/role/commands.py

@@ -146,6 +146,7 @@ def load_command_table(self, _):
         g.custom_command('permission add', 'add_permission')
         g.custom_command('permission delete', 'delete_permission')
         g.custom_command('permission list-grants', 'list_permission_grants')
+        g.custom_command('permission admin-consent', 'admin_consent')
         g.generic_update_command('update', setter_name='patch_application', setter_type=role_custom,
                                  getter_name='show_application', getter_type=role_custom,
                                  custom_func_name='update_application', custom_func_type=role_custom)

src/command_modules/azure-cli-role/azure/cli/command_modules/role/custom.py

@@ -807,6 +807,34 @@ def delete_permission(cmd, identifier, api):
     return graph_client.applications.patch(application.object_id, update_parameter)
 
 
+def admin_consent(cmd, identifier):
+    import requests
+    from azure.cli.core.cloud import AZURE_PUBLIC_CLOUD
+    from azure.cli.core._profile import Profile
+    from azure.cli.core.commands.client_factory import UA_AGENT
+    from azure.cli.core.util import should_disable_connection_verify
+    if cmd.cli_ctx.cloud.name != AZURE_PUBLIC_CLOUD.name:
+        raise CLIError('This command is not yet supported on sovereign clouds')
+    # we will leverage portal endpoints to get admin consent done
+    graph_client = _graph_client_factory(cmd.cli_ctx)
+    application = show_application(graph_client.applications, identifier)
+    url = 'https://main.iam.ad.ext.azure.com/api/RegisteredApplications/{}/Consent?onBehalfOfAll=true'.format(
+        application.app_id)
+    profile = Profile()
+
+    # the key is to get the access token to the portal resource:
+    access_token = profile.get_raw_token('74658136-14ec-4630-ad9b-26e160ff0fc6')
+    headers = {
+        'Authorization': "Bearer " + access_token[0][1],
+        'Accept-Encoding': 'gzip, deflate, br',
+        'x-ms-client-request-id': str(uuid.uuid4()),
+        'User-Agent': UA_AGENT
+    }
+    response = requests.post(url, headers=headers, verify=not should_disable_connection_verify())
+    if not response.ok:
+        raise CLIError(response.reason)
+
+
 def grant_application(cmd, identifier, api, consent_type=None, principal_id=None,
                       expires='1', scope='user_impersonation'):
     graph_client = _graph_client_factory(cmd.cli_ctx)