For your app to access data in Microsoft Graph (or any other Microsoft API), you must grant the correct permissions to it. It’s possible to do this manually but when you need to do this a lot (more then once) you should automate this. Microsoft has some great documentation on Graph Permission Roles (and it keeps getting better) but it’s still missing some crucial information – Permission Role IDs is one of them.
Microsoft explaines very well that all permission names follow a simple pattern: resource.operation.constraint. What they don’t mention is that you need to use Permission Role IDs instead of Permission Names. As you probably have seen, you can’t find the IDs on docs.com. Luckily it’s very easy to get these using a simple PowerShell Script. Be sure to install the latest AzureAD module before using this!
$AADModule = Get-Module -Name "AzureAD" -ListAvailable ## AzureADPreview Installed? if ($AADModule -eq $null) { $AADModule = Get-Module -Name "AzureADPreview" -ListAvailable } ## No AzureAD or AzureADPreview installed? If ($AADModule -eq $null) { Write-Host "AzureAD PowerShell Module not installed." -ForegroundColor Red Write-Host "Install with 'Install-Module -Name AzureAD'" -ForegroundColor Red } Try { $connect = Get-AzureADTenantDetail } Catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] { Connect-AzureAD | Out-Null } $PermissionName = Read-Host "Enter the permission name found on docs.com" $RoleID = (Get-AzureADServicePrincipal -filter "DisplayName eq 'Microsoft Graph'").OAuth2Permissions | Where-Object {$_.Value -eq $PermissionName} if ($RoleID) { $RoleID } else { Write-Host "Role not found!" -ForegroundColor Magenta }
The script will output everything you need!
AdminConsentDescription : Allows the app to read data in your organization's directory, such as users, groups and apps. AdminConsentDisplayName : Read directory data Id : 06da0dbc-49e2-44d2-8312-53f166ab848a IsEnabled : True Type : Admin UserConsentDescription : Allows the app to read data in your organization's directory. UserConsentDisplayName : Read directory data Value : Directory.Read.All
[…] the Azure AD Application with PowerShell, be sure to have a look at my other post about getting the Permission Role ID’s. In the scripts below I will use delegated […]