stackoom
  简体   繁体   中英

Is it possible to add Microsoft Graph delegated permissions to Azure AD app via Powershell?

 原文  2022-04-12 00:07:39       azure-active-directory/ azure-powershell

Question

I registered an application in Azure AD from PowerShell using the below script.

//To create new application
$myapp = New-AzureADApplication -DisplayName  MyApp 
$myappId=$myapp.AppId

//To set ApplicationID URI
Set-AzureADApplication -ApplicationId $myappId -IdentifierUris "api://$myappId"


//To retrieve details of new application
Get-AzureADApplication -Filter "DisplayName eq $myapp"

Now I want to set delegated API permissions(Calendars.Read, Application.Read.All, Directory.Read.All) for this app.

From Azure Portal, I know how to assign these. But is it possible to add these permissions via PowerShell? If yes, can anyone help me with the script or cmdlets?

Any help will be appreciated. Thank you.

1 answers

solution1
 1 ACCPTED  2022-04-12 02:19:15

Yes, it's possible to set delegated API permissions via PowerShell

Initially, please note AppID of new application that can be retrieved by below cmdlet:

Get-AzureADApplication -Filter "DisplayName eq $myapp"

Check whether you have Service Principal named " Microsoft Graph " using below cmdlet:

Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }

In order to assign API permissions via PowerShell, you should know the GUIDs of those delegated permissions that can be displayed using below cmdlet:

$MSGraph.Oauth2Permissions | FT ID, Value

Note the IDs of required permissions like Calendars.Read, Application.Read.All and Directory.Read.All

Please find the complete script below:

$myapp = New-AzureADApplication -DisplayName  MyApp 
$myappId=$myapp.ObjectId
 
Get-AzureADApplication -Filter "DisplayName eq 'MyApp'"
$MSGraph = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }
$MSGraph.Oauth2Permissions | FT ID, Value

# Create a Resource Access resource object and assign the service principal’s App ID to it.
$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Graph.ResourceAppId = $MSGraph.AppId

# Create a set of delegated permissions using noted IDs
$Per1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "c79f8feb-a9db-4090-85f9-90d820caa0eb","Scope"

$Per2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "465a38f9-76ea-45b9-9f34-9e8b0d4b0b42","Scope"

$Per3 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "06da0dbc-49e2-44d2-8312-53f166ab848a","Scope"

$Graph.ResourceAccess = $Per1, $Per2, $Per3

# Set the above resource access object to your application ObjectId so permissions can be assigned.
Set-AzureADApplication -ObjectId $myappId -RequiredResourceAccess $Graph

在此处输入图像描述

Reference:

How to assign Permissions to Azure AD App by using PowerShell?

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to acquire token for delegated permissions (microsoft graph) Trying to add delegated permission scopes defined in Azure Virtual Desktop RBAC to AAD App registration by calling Microsoft Graph API - /applications Azure Kudu access for users with Lighthouse delegated permissions Permissions for SAAS in Azure AD Microsoft Azure AD SCIM endpoints Sending emails between accounts using Microsoft Graph using Azure AD produces invalid IP error C# - Get Graph access token - using Client ID, Client Secret, Scope with Client Delegated Permissions Permissions required by Azure Service Principal to access App Insight data in a multi subscriptions AD Account Microsoft Graph: Can I (re)use the user's Bearer Token forwarded by AAD in order to make "delegated" calls to the Graph API? Send email using Microsoft Graph API from shared mailbox using azure logic app
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM