How to assign Permissions to Azure AD App by using PowerShell?
I have published my last blog to describe to PowerShell script to register the App in the Azure AD, In this blog, we will discuss the PowerShell script to assign the necessary permissions for the App.
STEP 1. Install the Azure Ad module in PowerShell. If you have not installed the Azure AD module earlier install it with this command-let otherwise leave this step.
#Install Azure Ad module in PowerShell if not installed earlier otherwise leave this step.
Install-module AzureAD
STEP 2: Connect to Azure AD. First, we need to use a credential object to store the credentials. This credential will be used to log in to Azure. Once you connect to Azure AD the command will show you the tenant info as output which means your connection is successful.
#Store the credential and use these credentials to connect to Azure AD.
$Credentials = Get-Credential
# Now connect to Azure AD
Connect-AzureAD -Credential $Credentials
STEP 3: Create a service Principal object for which you want to Assign the permission. For example, if you want to assign the permission for Power BI App then the Service principal object will be of Power BI Service. Similarly, if this object is of Windows Azure AD then you need to search it with its specific name. If you are not sure about the name then run this command-let and find the specific name which can be used in the next command-let,
Get-AzureADServicePrincipal -All $true
STEP 4: Now get the Service Principal object for the specific service. In our scenario, we want to get the service principal for Power BI Services and Windows Azure Active Directory
$svcprincipalPbi = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -match "Power BI Service" }
$svcprincipalAAD = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -match "Windows Azure Active Directory" }
STEP 5: Find the roles assigned for the services principals created before.
$svcprincipalPbi.AppRoles | FT ID, DisplayName
$svcprincipalAAD.AppRoles | FT ID, DisplayName
STEP 6: Show the delegated permissions for service principals.
# Show the Delegated Permissions
$svcprincipalPbi.Oauth2Permissions | FT ID, UserConsentDisplayName
$svcprincipalAAD.Oauth2Permissions | FT ID, UserConsentDisplayName
Please note down these ID values because we will use them in the next step.
STEP 7: Create a Resource Access resource object and assign the service principal’s App ID to it.
$Pbi = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Pbi.ResourceAppId = $svcprincipalPbi.AppId
$Aad = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Aad.ResourceAppId = $svcprincipalAAD.AppId
STEP 8: Create a set of delegated permissions based on the ID noted down from Step 6.
$delPermission1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "a42657d6-7f20-40e3-b6f0-cee03008a62a","Scope" ## Access the directory as you
$delPermission4 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "47df08d3-85e6-4bd3-8c77-680fbe28162e","Scope" ## View all Groups
$delPermission3 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "a65a6bd9-0978-46d6-a261-36b3e6fdd32e","Scope" ## View users Groups
$delPermission2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "ddd37690-e119-40c5-a821-3746ea6125c4","Scope" ## Read and write all dataflows
$delPermission5 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "4ae1bf56-f562-4747-b7bc-2fa0874ed46f","Scope" ## View all Reports
$delPermission6 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "f3076109-ca66-412a-be10-d4ee1be95d47","Scope" ## Create content
$delPermission7 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "322b68b2-0804-416e-86a5-d772c567b6e6","Scope" ## Read and Write all Datasets
$delPermission8 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "7f33e027-4039-419b-938e-2f8ca153e68e","Scope" ## View all Datasets
$delPermission9 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "2448370f-f988-42cd-909c-6528efd67c1a","Scope" ## View all Dashboards
$delPermission10 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "ecc85717-98b0-4465-af6d-1cbba6f9c961","Scope" ## Add data to any of your datasets in Power BI
$delPermission11 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "b271f05e-8329-4b97-baa4-91cf15b99cf1","Scope" ## Read and Write all Dashboards
$delPermission12 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "445002fb-a6f2-4dc1-a81e-4254a111cd29","Scope" ## Read and write all workspaces
$delPermission13 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "b2f1b2fa-f35c-407c-979c-a858a808ba85","Scope" ## View all workspaces
STEP 9: Assign the delegated permissions to the resource access objects created in step 7.
$Aad.ResourceAccess = $delPermission1
$Pbi.ResourceAccess = $delPermission2, $delPermission3 , $delPermission4
, $delPermission5 , $delPermission6 , $delPermission7 , $delPermission8 ,
$delPermission9 , $delPermission10 , $delPermission11 , $delPermission12 , $delPermission13
STEP 10: Now get the reference to the application ID created in the last blog and set the required resource access object to the application id so permissions can be assigned.
$ADApplication = Get-AzureADApplication -All $true | ? { $_.AppId -match " Your application ID created earlier for which you want to set the permissions" }
Set-AzureADApplication -ObjectId $ADApplication.ObjectId -RequiredResourceAccess $Pbi, $Aad
Here is the full script. You can change the application ID and rerun the script if you want to repeat the same steps.
$Credentials = Get-Credential
Connect-AzureAD -Credential $Credentials
$svcprincipalPbi = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -match "Power BI Service" }
$svcprincipalAAD = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -match "Windows Azure Active Directory" }
$svcprincipalPbi.AppRoles | FT ID, DisplayName
$svcprincipalAAD.AppRoles | FT ID, DisplayName
# Show the Delegated Permissions
$svcprincipalPbi.Oauth2Permissions | FT ID, UserConsentDisplayName
$svcprincipalAAD.Oauth2Permissions | FT ID, UserConsentDisplayName
$Pbi = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Pbi.ResourceAppId = $svcprincipalPbi.AppId
$Aad = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Aad.ResourceAppId = $svcprincipalAAD.AppId
$delPermission1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "a42657d6-7f20-40e3-b6f0-cee03008a62a","Scope" ## Access the directory as you
$delPermission4 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "47df08d3-85e6-4bd3-8c77-680fbe28162e","Scope" ## View all Groups
$delPermission3 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "a65a6bd9-0978-46d6-a261-36b3e6fdd32e","Scope" ## View users Groups
$delPermission2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "ddd37690-e119-40c5-a821-3746ea6125c4","Scope" ## Read and write all dataflows
$delPermission5 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "4ae1bf56-f562-4747-b7bc-2fa0874ed46f","Scope" ## View all Reports
$delPermission6 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "f3076109-ca66-412a-be10-d4ee1be95d47","Scope" ## Create content
$delPermission7 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "322b68b2-0804-416e-86a5-d772c567b6e6","Scope" ## Read and Write all Datasets
$delPermission8 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "7f33e027-4039-419b-938e-2f8ca153e68e","Scope" ## View all Datasets
$delPermission9 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "2448370f-f988-42cd-909c-6528efd67c1a","Scope" ## View all Dashboards
$delPermission10 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "ecc85717-98b0-4465-af6d-1cbba6f9c961","Scope" ## Add data to any of your datasets in Power BI
$delPermission11 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "b271f05e-8329-4b97-baa4-91cf15b99cf1","Scope" ## Read and Write all Dashboards
$delPermission12 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "445002fb-a6f2-4dc1-a81e-4254a111cd29","Scope" ## Read and write all workspaces
$delPermission13 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "b2f1b2fa-f35c-407c-979c-a858a808ba85","Scope" ## View all workspaces
$Aad.ResourceAccess = $delPermission1
$Pbi.ResourceAccess = $delPermission2, $delPermission3 , $delPermission4
, $delPermission5 , $delPermission6 , $delPermission7 , $delPermission8 ,
$delPermission9 , $delPermission10 , $delPermission11 , $delPermission12 , $delPermission13
$ADApplication = Get-AzureADApplication -All $true | ? { $_.AppId -match "Your application ID created earlier for which you want to set the permissions" }
Set-AzureADApplication -ObjectId $ADApplication.ObjectId -RequiredResourceAccess $Pbi, $Aad
very useful script. Simple and perfect.
Great script. How do you assign Group.Read.All, User.Read and User.Read.All to the application permission of an application?
Do you have a spam problem on this website; I also am a blogger, and I was curious about your situation; many of us have developed some nice practices and we are looking to trade techniques with others, be sure to shoot me an e-mail if interested.
[…] Reference: How to assign Permissions to Azure AD App by using PowerShell? […]
Graph API can be invoked via REST API call and it is easy to make REST API call from Powershell.
Nice Explained ! Is there also a way to programmatical admin consent these delegated permissions?
Jakke,
You can use this CLI command and equivalent PowerShell command to grant the permission :az ad app permission grant –id –api –scope
Hope this helps.