Search code examples
powershellazure-cli

How to list specific oauth2Permissions using azure cli

I was trying to get only few scopes/oauthPermissions from Microsoft Graph. And I am able to get the specific permissions only using this code

$appPerms =@()
$appPerms += "AttackSimulation.Read.All"
$appPerms += "Acronym.Read.All"
$appPerms += "ReportSettings.ReadWrite.All"
$msGraphService = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
#Write-Host $msGraphService.AppRoles
$permissions = $msGraphService.AppRoles.Where({$_.Value -in $appPerms})

But I need this suing azure cli command. I have tried something like this, but didn't work.

$permissionIds = az ad sp list --filter "displayName eq 'Microsoft Graph'" --query '[].oauth2Permissions[?value=="openid,email"].{Value:value, Id:id, UserConsentDisplayName:userConsentDisplayName}' -o table
Write-Host $permissionIds

Is there anyway to get only 2 or more specific oauth2Permissions using azure cli?

Edit

I am able to get single permission using this command.

 $userRead = az ad sp show --id $graphId --query "oauth2Permissions[?value=='User.Read'].id | [0]"

How can I use it for returning multiple ids?

Solution

  • After 2 days brainstorming I found one work around. With this I am able to reduce the multiple calls to the Azure like this,

    $userRead = az ad sp show --id $graphId --query "oauth2Permissions[?value=='User.Read'].id | [0]"
$email = az ad sp show --id $graphId --query "oauth2Permissions[?value=='email'].id | [0]"
$profile = az ad sp show --id $graphId --query "oauth2Permissions[?value=='profile'].id | [0]"

    Instead of adding the above call multiple times, I tried something like this.

    Steps I followed

    1. Fetch the graph id ($GraphAppId)

    2. Saved all the oauth2Permissions in

    3. Json format to a variable From the result I collected the required

      $GraphAppId = az ad sp list --query '[?appDisplayName==''Microsoft Graph''].appId' -o tsv --all
$permissionIds = az ad sp show --id $GraphAppId --query "oauth2Permissions[].{Value : value, Id:id}" | ConvertFrom-Json
$permissionIds.Where{ $_.Value -eq 'email' }.id
$permissionIds.Where{ $_.Value -eq 'profile' }.id

    now I don't need to call multiple times for getting the required scopes/permission ids.

    And the output would be

    64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0
14dad69e-099b-42c9-810b-d002981feec1

    Please share if there are some elegant ways than this.