-
Notifications
You must be signed in to change notification settings - Fork 167
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Granting admin consent to an Application (Role) scope #1733
Comments
Additionally--it appears that the portal achieves this by calling:
(The User.Read scope was also added in this case, but it doesn't actually require admin consent'). I guess worst case I could wrap this API call in Powershell... |
I think I got it:
Or, to show it a little more clearly using the MS Graph example: $scp = Get-MgServicePrincipal -Filter "DisplayName eq 'nameOfYourClientApp'"
$app = Get-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
$appRole = $app.AppRoles | Where-Object Value -Eq "User.Read.All"
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $scp.id -PrincipalId $scp.Id -ResourceId $app.Id -AppRoleId $appRole.Id Thanks to this issue comment from the azure docs that got me pointed in the right direction. This appears to allow you to do individual admin consents to Application (Role) scopes. I'd be curious if anyone sees any issue with doing it this way. |
What you have is the recommended approach. This is also document at https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-consent-single-user?pivots=msgraph-powershell. According to the API reference, a
In the future, you can also open how-to questions at https://developer.microsoft.com/en-us/graph/support to get assistance from subject matter experts on queries tied to the functionality of the API or how to use an API. |
This!!!!! After many fruitless hours, this........ |
What is the best/correct way to grant admin consent to an application to access a given scope of another application via MS Graph in Powershell?
For example, consider a scenario where an API application requires access to Microsoft Graph's
User.Read.All
orGroup.Read.All
Application (Role) scope. It is easy enough to specify the resource requirement via theRequiredResourceAccess
parameter ofUpdate-MgApplication
orNew-MgApplication
, but this still leaves the application requiring admin consent before the access can actually happen.This can of course be done in the portal via the UI for admin consent, but that doesn't help for automating this at deploy time.
I can't figure out how to do this via Powershell.
What I've found so far:
az ad app permission admin-consent
but (a) that's not Powershell, (b) that's not using MS Graph, and (c) that appears to be deprecatedNew-MgOauth2PermissionGrant
cmdlet, but that appears to only be for granting Delegated (Scope) permissions, not Application (Role).The text was updated successfully, but these errors were encountered: