Why when I upload an Api permission via Powershell to AzureAd I get only the Id?

Lorenzo Cacciola 1 Reputation point
2022-03-31T08:13:43.733+00:00

I'm trying to upload some api permission to my app registration in Azure, but I don't get why for some the process work and for others no.

188673-azureapipermission.png 

$svcGraph = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }  
  
$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"  
$Graph.ResourceAppId = $svcGraph.AppId  
  
$delPermission1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "df021288-bdef-4463-88db-98f22de89214","Scope"  
  
$delPermission2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d","Scope"  
  
$Graph.ResourceAccess = $delPermission1, $delPermission2  
  
Set-AzureADApplication -ObjectId $MyAppObjectId -RequiredResourceAccess $Graph

User.read (delPermission2) work, but User.Read.All (delPermission1) don't, and I don't understand why.

I tried multiple permission, but just User.read worked, here are the id and value:

741f803b-c850-494e-b5df-cde7c675a1ca User.ReadWrite.All

83cded22-8297-4ff6-a7fa-e97e9545a259 Presence.ReadWrite.All

810c84a8-4a9e-49e6-bf7d-12d183f40d01 Mail.Read

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
10,515 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,354 questions
Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,382 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mehtab Siddique (MINDTREE LIMITED) 966 Reputation points
    2022-04-01T04:51:47.113+00:00

    Hi @Lorenzo Cacciola , Can you please check if you are using the correct ID's for the permissions for uploading via powershell to azure AD.
    Please refer this Document for getting to know on how to assign more permissions to azure AD via powershell.

    0 comments
  2. Limitless Technology 39,336 Reputation points
    2022-04-06T11:02:40.99+00:00

    Hi @Lorenzo Cacciola

    You might need to have a look at the Microsoft Graph permissions reference. If only Id is visible it might be due to the different Access scenarios on the Group resource.

    As a best practice, request the least privileged permissions that your app needs in order to access data and function correctly. Requesting permissions with more than the necessary privileges is poor security practice, which may cause users to refrain from consenting and affect your app's usage.

    The below article shows the permissions that an app needs to be able to perform specific operations required by the scenario. Note that in some cases the ability of the app to perform specific operations will depend on whether permission is an application or delegated permission.

    https://learn.microsoft.com/en-us/graph/permissions-reference

    Hope this resolves your Query!!

    --
    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments