How to grant to registered app admin consent in 'API Permissions'.

Oleg Tserkovnyuk 541 Reputation points
2022-12-05T15:53:54.41+00:00

Hello,

Using PS and GraphAPI I create new app registration and grant to the app 'Api Permissions' with type 'Application Permissions'. But these permissions require clicking in UI 'Grant admin consent for $TenantName'.
267270-11d.jpg
I am looking for a way to automate this using PS.
I checked 'Network' in my browser while clicking on 'Grant admin consent for $TenantName' in UI, but unfortunately it calls 'https://graph.windows.net/myorganization/consentToApp?api-version=2.0' which cannot be accessed using GraphAPI.
Googled and found few articles about admin consent, but could not find a way to do this for API permissions.
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent?pivots=ms-graph
https://learn.microsoft.com/en-us/graph/api/resources/oauth2permissiongrant?view=graph-rest-1.0

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,589 questions
0 comments
Accepted answer
  1. JamesTran-MSFT 36,376 Reputation points Microsoft Employee
    2022-12-15T22:45:49.947+00:00

    @Oleg Tserkovnyuk
    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to "Accept" the answer.

    Issue:

    • Using PowerShell and the Graph API you created a new app registration.
    • When Granting Admin Consent for API Permissions for your tenant, this required going through the Azure Portal UI.
    • You're looking for a way to automate granting admin consent using PowerShell and haven't found a way to do this for API permissions. Solution:
      Using the below PowerShell Script, you were able to resolve your issue. $AppServicePrincipalId = (Get-AzureADServicePrincipal -all $true | Where-Object { $.DisplayName -eq $AppDisplayName }).ObjectId
      $MSGraphServicePrincipalObjectId = (Get-AzureADServicePrincipal -all $true | Where-Object { $      .DisplayName -eq 'Microsoft Graph' }).ObjectId
      # Microsoft Graph permissions IDs https://learn.microsoft.com/en-us/graph/permissions-reference
      $AppRolesId = ((Invoke-MgGraphRequest -Uri "/v1.0/servicePrincipals?$filter=displayName eq 'Microsoft Graph'&$select=id,displayName,appId,appRoles" -Method GET).value.appRoles)
      $UserReadAll = ($AppRolesId | Where-Object { $_.value -eq 'User.Read.All' }).id 
               $param = @{  
             "PrincipalId" = "$AppServicePrincipalId"  
             "ResourceId"  = "$MSGraphServicePrincipalObjectId"  
             "AppRoleId"   = "$UserReadAll"  
         }  

         New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId "$MSGraphServicePrincipalObjectId" -BodyParameter $param

    If you have any other questions, please let me know.
    Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 95,671 Reputation points MVP
    2022-12-05T17:35:27.183+00:00

    Admin consent equals creating a new oauth2permissiongrant for the AllPrincipals entry. So follow the steps here: https://learn.microsoft.com/en-us/graph/api/oauth2permissiongrant-post?view=graph-rest-1.0&tabs=http
    If you want to do it via the MG module, use the New-MgOauth2PermissionGrant cmdlet.

  2. Oleg Tserkovnyuk 541 Reputation points
    2022-12-15T08:47:15.92+00:00

    Answering my own question: 

    $AppServicePrincipalId = (Get-AzureADServicePrincipal -all $true  | Where-Object { $_.DisplayName -eq $AppDisplayName }).ObjectId  
$MSGraphServicePrincipalObjectId = (Get-AzureADServicePrincipal -all $true | Where-Object { $_.DisplayName -eq 'Microsoft Graph' }).ObjectId  
# Microsoft Graph permissions IDs https://learn.microsoft.com/en-us/graph/permissions-reference  
$AppRolesId = ((Invoke-MgGraphRequest -Uri "/v1.0/servicePrincipals?`$filter=displayName eq 'Microsoft Graph'&`$select=id,displayName,appId,appRoles" -Method GET).value.appRoles)  
$UserReadAll = ($AppRolesId | Where-Object { $_.value -eq 'User.Read.All' }).id  
  
            $param = @{  
                "PrincipalId" = "$AppServicePrincipalId"  
                "ResourceId"  = "$MSGraphServicePrincipalObjectId"  
                "AppRoleId"   = "$UserReadAll"  
            }  
  
            New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId "$MSGraphServicePrincipalObjectId" -BodyParameter $param
    0 comments
  3. Maqsood Ali Bhatti 1 Reputation point
    2023-03-09T12:13:51.6766667+00:00

    @Oleg Tserkovnyuk i think to run this cmdlet you need to login to browser first azuread-connect with interactive logon isnt that right?

    We have service principal for azuread and we want to automate Admin-Consent for this using Service principal , do anyone know if this will work with service principal?

    0 comments