Code a Delegated Permission in Azure Powershell

Question

Can anyone give me an example of coding a delegated permission to an application in Azure Powershell? The image below shows an example of how I would like the permissions to look like.

I know I should use the 'oAuth2PermissionGrant' seen in this link: https://learn.microsoft.com/en-us/graph/api/oauth2permissiongrant-post?view=graph-rest-1.0&tabs=powershell

But I haven't used it correctly yet. Can anyone provide an example?

Answer 1

You can make use of below sample PowerShell script to add Microsoft Graph and Azure Service Management API permissions of Delegated type to app registration:

# Define the list of delegated permissions names
$delegatedPermissions = @(
    "AuditLog.Read.All",
    "Directory.Read.All",
    "User.Read.All",
    "offline_access",
    "Group.Read.All",
    "GroupMember.Read.All",
    "GroupMember.ReadWrite.All"
)

# Get Microsoft Graph service principal
$msGraphSP = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'" -Property Oauth2PermissionScopes | Select -ExpandProperty Oauth2PermissionScopes
$filteredPermissions = $msGraphSP | Where-Object { $delegatedPermissions -contains $_.Value }

# Define Azure Service Management API permission
$azureServicePermission = @{
    resourceAppId = "797f4846-ba00-4fd7-ba43-dac1f8f63013"
    resourceAccess = @(
        @{
            id = "41094075-9dad-400e-a0bd-54e686782033"
            type = "Scope"
        }
    )
}

$appObjId = "your_app_reg_ObjectID"

$params = @{
    requiredResourceAccess = @(
        $azureServicePermission,
        @{
            resourceAppId = "00000003-0000-0000-c000-000000000000"
            resourceAccess = $filteredPermissions | ForEach-Object {
                @{
                    id = $_.Id
                    type = "Scope"
                }
            }
        }
    )
}

Update-MgApplication -ApplicationId $appObjId -BodyParameter $params

Response:

To confirm that, I checked the same in Azure AD application where Delegated permissions added successfully as below:

To add admin consent to Microsoft Graph permissions, you can use below sample script:

$params = @{
    clientId = "service_principal_ObjID"
    consentType = "AllPrincipals"
    resourceId = "54858dc8-ace7-47d4-82b2-e74d83062e7b"
    scope = "AuditLog.Read.All Directory.Read.All User.Read.All offline_access Group.Read.All GroupMember.Read.All GroupMember.ReadWrite.All"
}

New-MgOauth2PermissionGrant -BodyParameter $params

Response:

To add admin consent to Azure Service Management permissions, you can use below sample script:

$params = @{
    clientId = "service_principal_ObjID"
    consentType = "AllPrincipals"
    resourceId = "65805703-c2cf-48a5-8835-e8d233b234e3"
    scope = "user_impersonation"
}

New-MgOauth2PermissionGrant -BodyParameter $params

Response:

When I checked the same in Portal, admin consent granted successfully to all permissions as below: