Azure Powershell - adding Application permissions to Delegated permissions

harry
May 9, 2024
143 views
0 votes
2 Answers

I currently have code to create an application with Delegated permissions. I would like to add Application permissions as well. Can anyone give an example of how to add both? Thank you.

My code is below:

function Add-Permission {

    param(
        [string]$appName
    )

    $delegatedPermissions = @(
        "AuditLog.Read.All",
        "Directory.Read.All",
        "User.Read.All",
        "offline_access",
        "Group.Read.All",
        "GroupMember.Read.All",
        "GroupMember.ReadWrite.All"
    )

    $filteredPermissions = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'" `
    -Property Oauth2PermissionScopes | Select-Object -ExpandProperty Oauth2PermissionScopes | `
    Where-Object { $delegatedPermissions -contains $_.Value }

    $azureServicePermission = @{
        resourceAppId = "797f4846-ba00-4fd7-ba43-dac1f8f63013"
        resourceAccess = @(
            @{
                id = "41094075-9dad-400e-a0bd-54e686782033"
                type = "Scope"
            }
        )
    }

    $app = Get-MgApplication -Filter "DisplayName eq '$appName'"

    $params = @{
        requiredResourceAccess = @(
            $azureServicePermission,
            @{
                resourceAppId = "00000003-0000-0000-c000-000000000000"
                resourceAccess = $filteredPermissions | ForEach-Object {
                    @{
                        id = $_.Id
                        type = "Scope"
                    }
                }
            }
        )
    }

    Update-MgApplication -ApplicationId $app.Id -BodyParameter $params

Tags: azure powershell

Answers

I would try to get the application permissions just like you are doing for the delegated permissions and then add that to the params.

          ...
            @{
                resourceAppId = "00000003-0000-0000-c000-000000000000"
                resourceAccess = @(
                    $filteredDelegatedPermissions | ForEach-Object {
                        @{
                            id = $_.Id
                            type = "Scope"
                        }
                    },
                    $filteredApplicationPermissions | ForEach-Object {
                        @{
                            id = $_.Id
                            type = "Role?"
                        }
                    }
                )
            }

Your function starts off well, but I’d use the New-MgServicePrincipalAppRoleAssignedTo cmdlet to add the app role assignments.

https://learn.microsoft.com/en-us/graph/permissions-grant-via-msgraph?tabs=powershell&pivots=grant-application-permissions#step-2-grant-an-app-role-to-a-client-service-principal

function Add-Permission {

    param(
        [string]$appName
    )

    $appPermissions = @(
        "AuditLog.Read.All",
        "Directory.Read.All",
        "User.Read.All",
        # "offline_access", not an app permission
        "Group.Read.All",
        "GroupMember.Read.All",
        "GroupMember.ReadWrite.All"
    )

    $servicePrincipal = Get-MgServicePrincipal -Filter "DisplayName eq '$appName'"

    $filteredPermissions = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'" `
    -Property appRoles | Select-Object -ExpandProperty appRoles | `
    Where-Object { ($appPermissions -contains $_.Value) -and ($_.Origin -eq "Application") }

    foreach ($perm in $filteredPermissions) {
        $params = @{
            principalId = $servicePrincipal.Id
            resourceId = $servicePrincipal.AppId
            appRoleId = $perm.Id
        }

        New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $servicePrincipal.Id -BodyParameter $params
    }

}

Please signup or login to give your own answer.

Click here to cancel reply.

Azure Powershell – adding Application permissions to Delegated permissions

Answers