Granting admin consent to an Application (Role) scope

[sam-mfb]

What is the best/correct way to grant admin consent to an application to access a given scope of another application via MS Graph in Powershell?

For example, consider a scenario where an API application requires access to Microsoft Graph's User.Read.All or Group.Read.All Application (Role) scope. It is easy enough to specify the resource requirement via the RequiredResourceAccess parameter of Update-MgApplication or New-MgApplication, but this still leaves the application requiring admin consent before the access can actually happen.

This can of course be done in the portal via the UI for admin consent, but that doesn't help for automating this at deploy time.
I can't figure out how to do this via Powershell.

What I've found so far:

• It can be done via the Azure cli using az ad app permission admin-consent but (a) that's not Powershell, (b) that's not using MS Graph, and (c) that appears to be deprecated
• I've read that there was no Powershell api for doing this via AZ AD, but I'm wondering (hoping) this has changed for MS Graph
• I've looked at the New-MgOauth2PermissionGrant cmdlet, but that appears to only be for granting Delegated (Scope) permissions, not Application (Role).
• I assume there is, at a minimum, some way to do it indirectly through the REST API, though I haven't been able to figure that out either, and ideally it would be able to be done directly in Powershell.

[sam-mfb]

Additionally--it appears that the portal achieves this by calling: https://graph.windows.net/myorganization/consentToApp?api-version=2.0 with a payload of:

{
    "clientAppId": "XXX-real-app-id-would-go-here-XXX",
    "onBehalfOfAll": true,
    "checkOnly": false,
    "tags": [],
    "constrainToRra": true,
    "dynamicPermissions": [
        {
            "appIdentifier": "00000003-0000-0000-c000-000000000000",
            "appRoles": [
                "Group.Read.All",
                "User.Read.All"
            ],
            "scopes": [
                "User.Read"
            ]
        }
    ]
}

(The User.Read scope was also added in this case, but it doesn't actually require admin consent'). I guess worst case I could wrap this API call in Powershell...

[sam-mfb]

I think I got it:

New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId [object id of App service principal] -PrincipalId [object id of App service principal (yes, same as previous param)] -ResourceId [object id (not app id) of resource to access, e.g., MS Graph] -AppRoleId [object id of resource scope, e.g., of 'User.Read.All']

Or, to show it a little more clearly using the MS Graph example:

$scp = Get-MgServicePrincipal -Filter "DisplayName eq 'nameOfYourClientApp'" 
$app = Get-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"  
$appRole = $app.AppRoles | Where-Object Value -Eq "User.Read.All"      
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $scp.id -PrincipalId $scp.Id -ResourceId $app.Id -AppRoleId $appRole.Id   

Thanks to this issue comment from the azure docs that got me pointed in the right direction.

This appears to allow you to do individual admin consents to Application (Role) scopes. I'd be curious if anyone sees any issue with doing it this way.

[peombwa]

What you have is the recommended approach. This is also document at https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-consent-single-user?pivots=msgraph-powershell.

According to the API reference, a PrincipalId is:

The unique identifier (id) for the user, security group, or service principal being granted the app role. Security groups with dynamic memberships are supported. Required on create.

In the future, you can also open how-to questions at https://developer.microsoft.com/en-us/graph/support to get assistance from subject matter experts on queries tied to the functionality of the API or how to use an API.

[tukutela]

I think I got it:

New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId [object id of App service principal] -PrincipalId [object id of App service principal (yes, same as previous param)] -ResourceId [object id (not app id) of resource to access, e.g., MS Graph] -AppRoleId [object id of resource scope, e.g., of 'User.Read.All']

Or, to show it a little more clearly using the MS Graph example:

$scp = Get-MgServicePrincipal -Filter "DisplayName eq 'nameOfYourClientApp'" 
$app = Get-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"  
$appRole = $app.AppRoles | Where-Object Value -Eq "User.Read.All"      
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $scp.id -PrincipalId $scp.Id -ResourceId $app.Id -AppRoleId $appRole.Id   

Thanks to this issue comment from the azure docs that got me pointed in the right direction.

This appears to allow you to do individual admin consents to Application (Role) scopes. I'd be curious if anyone sees any issue with doing it this way.

This!!!!! After many fruitless hours, this........