Grant admin consent for app registration API permission
i create a new app registration via MgGraph Powershell Module, for example:
$appName = "Test"
$APIResourceID = "00000003-0000-0000-c000-000000000000"
$APIResourceAccess = @{
Id="5ac13192-7ace-4fcf-b828-1a26f28068ee"
Type="Role"
}
$app = New-MgApplication -DisplayName $appName `
-PasswordCredentials @{ displayName="Secret Name" } `
-RequiredResourceAccess @{ ResourceAppId=$APIResourceID; ResourceAccess=@($APIResourceAccess) }
This works, i get an app registration with the API permission "DeviceManagementServiceConfig.ReadWrite.All" but it still requires the admin consent within Entra ID. I know that there is a way to grant the admin consent via Powershell within the Azure Module "az ad app permission admin-consent --id $app.id" but i'd like to stay within MgGraph. I searched a lot, but cant find a way to grant the admin consent with MgGraph, is it just noch possible yet?
checked the documentations but found only ways to grant delegated permissions or application permissions with MgServicePrincipal
To grant admin consent to the Application permissions, check the below:
Create the Service principal after creating the application:
New-MgServicePrincipal -AppId <AppIDofappinappregisterationblade>
Now make use of below script to grant admin consent to the Application permissions:
$params = @{
principalId = "SPObjID"
resourceId = "MicrosoftGraphResourceID"
appRoleId = "APIpermissionID"
}
New-MgServicePrincipalAppRoleAssignedTo -principalId <servicePrincipalId> -BodyParameter $params
To get the values refer below and check this SO Thread by me:
Go to Enterprise application of the application you created:
Copy ObjectID of Enterprise application and pass in it in principalId and principalId values.
The resourceId is the Microsoft Graph Resource ID:
Remove the filters in Enterprise applications blade and search
References:
Grant tenant-wide admin consent to an application type permissions - Microsoft Entra ID | Microsoft
- How and where to define an environment variable on Azure
- Azure Data Factory - Unable to preview data
- Azure yaml trigger pipeline every 14 days on a Saturday
- Diagnostic setting not included in Azure Portal ARM template export
- How do I read the original pdf file in set indexer datasource in a custom WebApiSkill after enabling "Allow Skillset to read file data"
- How do I store vectors generated by AzureOpenAIEmbeddingSkill in indexer given my current setup
- Authenticating using the Azure CLI is only supported as a User (not a Service Principal)
- Azure Function App - frequent hang and deadlocks
- Sign Tool for Azure Trusted Service Account Error information: "Error: SignerSign() failed." (-2147467259/0x80004005)
- How to convert the premium file share to premium block blob storage account or standard general purpose v2 storage account?
- How to generate an azure blob url with SAS signature in nodejs sdk v12?
- How to Assign Role to New User with Graph API
- Directory disappears from azure cloud shell (home)
- Application Insights Logging Exceptions as Trace
- Issue with Azure key vault and Azure storage account deployment
- AddDataProtection().PersistKeysToAzureBlobStorage().ProtectKeysWithAzureKeyVault() getting httpVerb Error while accessing the blob storage
- temporary_name_for_rotation must be specified when changing any of the following properties: pod_subnet_id
- Native Node.js Metrics in Application Insights
- Azure Key Vault Disabled public access, how to access it through the portal via internet
- Using Google.Cloud.BigQuery.V2 API in Azure Functions
- Azure Functions no job found (python)
- Azure Machine Learning - Online Endpoint Schedule/Cost management
- Is it possible to read File from same folder where Azure function exists
- Make WAF policy to only allow Azure Load Testing or Azure Services
- port 7071 is unavailable. Close the process using that port, or specify another port using --port [-p]
- Azure - RBAC to Management Group
- Why is AVD remove client's maximize to current display option grayed out?
- Azure get EID List with API
- Synchronise Azure files to blob store
- trigger logic app from Azure Service bus in sequance