Azure AD App Registration Branding Logo - Programatic upload

When you register a new application in Azure AD, especially those that will be used to login users or gather additional permissions, the branding section, specifically the Logo of the App is often overlooked.

But what is the logo, where does it even show up?

First, and most importantly, it is displayed when the users need to consent to using your application when they first log-in:

Consent view

You can easily update this from the Azure Portal, by uploading a new logo, but sometimes you want to automate this process and be able to programmatically update the logo as you create your application.

Upload from Azure Portal

In this article, I will use PowerShell to demonstrate the process (but you can easily replicate this using your scripting language of choice). All you need is az cli installed as it used for obtaining the auth token needed for the REST calls.

Script:

1
2
3
4
5
6
7
8
9
10
11
12
$appId = "<REPLACE WITH YOUR APP ID (OBJECT ID)>"
$token=(az account get-access-token --resource "https://graph.microsoft.com" --query accessToken --output tsv)

$logoWeb = Invoke-WebRequest "https://alexdrenea.com/images/logo.png"
$logoContentType = $logoWeb.Headers["Content-Type"]
$logoContent = $logoWeb.Content

Invoke-RestMethod `
-Uri "https://graph.microsoft.com/v1.0/applications/$appId/logo" `
-Method "PUT" `
-Header @{"Authorization"="Bearer $token";"Content-Type"="$logoContentType";} `
-Body $logoContent

The script above is relatively self-explanatory,

  1. Obtain an access token from the az instance - you must be authenticated to az cli
  2. Load the bytes of the logo in memory. In my case, I used a URL to download my logo which had the added bonus of exposing the Content-Type as well. (You can read the file from the local disk as well, see below script, but you either need to hardcode the ContentType or determine it based on the file extension).
  3. Use the Microsoft Graph API to upload the logo in place for our app (not the $appId parameter, make sure you initialize that with the correct id of your app - it should be either the .id property if you read the app properties programmatically, or the “Object Id” if you obtain the id from the Azure Portal.
1
2
$logoBytesLocal = Get-Content ..\logo-red.png -Raw -Encoding Byte 
#-Encoding Byte is essential, as we want to read the file as a byte array

If the above script looks odd and un-necessarily complicated, it’s because it is.

In general, most actions can be performed using built-in az cli commands, however, uploading the logo is not part of the az ad app command set (link) as of version 2.42 of the cli.

When that fails, the next step is to find the relevant Microsoft Graph API call that can be used to perform the operation. In our case the documentation for the AD application is lacking proper notes and examples related to updating the logo. What’s worse, the docs are misleading and stating that you can PATCH the app and set the logo in the request body with content-type=application/json which is impossible. The Graph API explorer does not help either as it does not show a way to upload the logo.

As a last resort, by inspecting the traffic on the Azure Portal when you upload a logo, I discovered that the logo update is actually a PUT method on the /application/{id}/logo endpoint.

With that info, the logical step is to use the built in az rest command to make the call to the Graph endpoint, however, at leat in powershell that command fails with a cryptic error: “The command line is too long.”

1
az rest --method PUT --uri "https://graph.microsoft.com/v1.0/applications/$appId/logo" --headers 'Content-Type=image/png' --body $logoBytesLocal`

There are now tickets open for both the Graph API documentation and the az rest command and hopefully it will soon be easier to upload a logo to your App Registration but until then, hopefully the script from this article can help you with this task.

Share Comments