Microsoft Graph Permission Role IDs

microsoft graph permission roles
Microsoft Graph

For your app to access data in Microsoft Graph (or any other Microsoft API), you must grant the correct permissions to it. It’s possible to do this manually but when you need to do this a lot (more then once) you should automate this. Microsoft has some great documentation on Graph Permission Roles (and it keeps getting better) but it’s still missing some crucial information – Permission Role IDs is one of them.

Microsoft explaines very well that all permission names follow a simple pattern: resource.operation.constraint. What they don’t mention is that you need to use Permission Role IDs instead of Permission Names. As you probably have seen, you can’t find the IDs on Luckily it’s very easy to get these using a simple PowerShell Script. Be sure to install the latest AzureAD module before using this!

$AADModule = Get-Module -Name "AzureAD" -ListAvailable

## AzureADPreview Installed?
if ($AADModule -eq $null) {
    $AADModule = Get-Module -Name "AzureADPreview" -ListAvailable

## No AzureAD or AzureADPreview installed?
If ($AADModule -eq $null) {
    Write-Host "AzureAD PowerShell Module not installed." -ForegroundColor Red
    Write-Host "Install with 'Install-Module -Name AzureAD'" -ForegroundColor Red

Try {
    $connect = Get-AzureADTenantDetail
} Catch [Microsoft.Open.Azure.AD.CommonLibrary.AadNeedAuthenticationException] {
    Connect-AzureAD | Out-Null

$PermissionName = Read-Host "Enter the permission name found on"

$RoleID = (Get-AzureADServicePrincipal -filter "DisplayName eq 'Microsoft Graph'").OAuth2Permissions | Where-Object {$_.Value -eq $PermissionName}
if ($RoleID) {
} else {
    Write-Host "Role not found!" -ForegroundColor Magenta

The script will output everything you need!

AdminConsentDescription : Allows the app to read data in your organization's directory, such as users, groups and apps.
AdminConsentDisplayName : Read directory data
Id                      : 06da0dbc-49e2-44d2-8312-53f166ab848a
IsEnabled               : True
Type                    : Admin
UserConsentDescription  : Allows the app to read data in your organization's directory.
UserConsentDisplayName  : Read directory data
Value                   : Directory.Read.All

One comment

Leave a Reply

Your email address will not be published.