I'm trying to retrieve the API Permissions assigned to a Service Principle using Microsoft Graph SDK for PowerShell. I tried using the below command
Get-MgServicePrincipalOAuth2PermissionGrant -ServicePrincipalId <Id>
However, it doesn't provide all the API Permissions. Could someone help on this?
Thanks, Praveen
Granted API permissions to Service principal like below:
I agree with @user2250152, to get delegated permissions make use of below command:
Get-MgServicePrincipalOauth2PermissionGrant
-ServicePrincipalId <Id>
To get Application permissions, make use of below command:
Get-MgServicePrincipalAppRoleAssignment
-ServicePrincipalId <Id>
UPDATE:
To get the application permission claim, use the below script:
Connect-MgGraph -Scopes "Application.Read.All"
$Apps = Get-MgApplication | Where-Object { $_.DisplayName -eq "RukApp" }
$ServicePrincipals = Get-MgServicePrincipal -All
$RolesList = @()
foreach ($sp in $ServicePrincipals) {
$RolesList += $sp.AppRoles
}
$Data = @()
foreach ($App in $Apps) {
foreach ($Access in $App.RequiredResourceAccess) {
foreach ($Permission in $Access.ResourceAccess) {
$PermissionName = $null
if ($Permission.Type -eq 'Role') {
$PermissionName = ($RolesList | Where-Object { $_.Id -eq $Permission.Id }).Value
}
if ($PermissionName) {
$Data += [PSCustomObject]@{
'Application Display Name' = $App.DisplayName
'Permission Type' = $Permission.Type
'Permission Value' = $PermissionName
}
}
}
}
}
$Data | Format-Table -AutoSize
To check the application API permission name, refer the below
c# - Microsoft Graph API - Get users with specified app roles - Stack Overflow