MS Graph Permissions for Adding a OAuth Client Secret are Too Broad
I am following the example on this page to use powershell to create a client secret for my Azure AD application: https://o365info.com/create-unlimited-client-secret/
It starts out with this command:
Connect-MgGraph -Scopes 'Application.ReadWrite.All'
This gives me a login window that is requesting permissions to read and write to ALL applications.
I don't have permissions to (nor do I want permissions to) all of my companies applications. I just need to add a client secret to the one application that I have permissions for.
So I figure, "fine, I will find the way to just request the scope for my one application." But when I look up the help for my command (Add-MgApplicationPassword), both of the examples also ask for Application.ReadWrite.All.
It seems crazy that the only way I can modify one application is if I am granted permissions to modify ALL applications in my company's Azure Active Directory.
How can I call Add-MgApplicationPassword, but only have permissions to one application?
(NOTE: I can add these via the UI, but I need to be able to automate it via PowerShell.)
Note that: Microsoft Graph API permissions cannot be restricted to one application as it is granted for the entire tenant.
I agree with @junnas, as a workaround you can make use of Application API permissions "Application.ReadWrite.OwnedBy" to connect to MgGraph with application context.
- By granting
Application.ReadWrite.OwnedBypermission it allows to manage apps that this application creates or owns. - By this API permission, it can create the applications and fully manage those applications (read, update, update application secrets and delete).
- But it will not be able to update the applications that it is not an owner of.
I created an Azure AD Application and API permission like below:
Using the above application, I created another application:
https://login.microsoftonline.com/TenanTID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:https://graph.microsoft.com/.default
grant_type:client_credentials
I created the new application successfully:
POST https://graph.microsoft.com/v1.0/applications
Content-type : application/json
{
"displayName": "ClientSecretApp"
}
I used the below PowerShell script to add password to the application:
$ApplicationId = "ClientID"
$tenantID = "TenantID"
Connect-MgGraph -ClientId $ApplicationId -TenantId $tenantID -CertificateThumbprint "Thumbprint"
$passwordCred = @{
displayName = 'testsecret'
endDateTime = (Get-Date).AddMonths(6)
}
$secret = Add-MgApplicationPassword -ApplicationId $ObjectIDoftheOwnedApplication -PasswordCredential $passwordCred
$secret | Format-List
The Client Secret got created:
In Azure Portal:
Now, when I passed the ObjectID of the other application which is not owned, I got the error like below:
References:
azure - Microsoft Graph to access only a specific set of users, not all - Stack Overflow by Hury Shen
Limit permissions to update a single Azure AD group via API - Microsoft Q&A by ShivaniRai-MSFT
- How to configure backend application on Container Apps
- WebJob is stopping due to website shutting down
- Azure SQL trigger for Functions configuration problem
- Does azure blob storage support http2?
- Azure Pronunciation Assessment Could not deserialize speech context error
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- How do I Parse FormData containing a audio file in AZ function app in 2025
- Not able to delete Public IP address in azure
- Azure Devops Apple App Store Release.Missing value for the attribute 'whatsNew'
- Azure Storage accounts container public access level has dissabled
- Issue with adding delegated Graph API permission to Enterprise app with Terraform
- Getting an error when using the Flexible File Destination Task in Visual Studio 2022 SSIS
- Problem with Azure Email Communication Service Custom Domain
- How to refresh client assertion in ConfidentialClientApplication?
- Using Microsoft Graph Explorer (we have code too) we can GET All Subscriptions, but GET one by ID gives access error
- Invalid operands found for operator -eq
- nginx - php-fpm - azure container app returns truncated pages
- Adding custom headers to Azure Functions response
- Azure Queue Trigger is hit but not executing the logic inside of it
- az cli not showing redisenterprise keys
- Enforce MFA for specific API called from SPFx via AADTokenProvider (Even with SPO MFA)
- Azure Devops Server Pipelines: Any way to have a Stage result as "Succeeded" even if a constituent Job reported "SucceededWithIssues"?
- YAML strings including special characters % and & were not printed correctly for Windows environment
- Azure function returns error: No job functions found. Try making your job classes and methods public
- How to view Oldest Query results in Azure Monitor Metrics for an Azure PostgreSQL Flex Server instance
- Authenticate to Azure with certificate from Linux
- What are the minimum Azure permissions required to publish a Power BI report using "App Owns the Data"?
- How to report an Azure Text-to-Speech bug?
- Refresh an Azure search index
- Best way to clean up resources in StatefulService