az ad app permission
Manage an application's OAuth2 permissions.
Name | Description | Type | Status |
---|---|---|---|
az ad app permission add |
Add an API permission. |
Core | GA |
az ad app permission admin-consent |
Grant Application & Delegated permissions through admin-consent. |
Core | GA |
az ad app permission delete |
Remove an API permission. |
Core | GA |
az ad app permission grant |
Grant the app an API Delegated permissions. |
Core | GA |
az ad app permission list |
List API permissions the application has requested. |
Core | GA |
az ad app permission list-grants |
List Oauth2 permission grants. |
Core | GA |
Add an API permission.
Invoking "az ad app permission grant" is needed to activate it.
To get available permissions of the resource app, run az ad sp show --id <resource-appId>
. For example, to get available permissions for Microsoft Graph API, run az ad sp show --id 00000003-0000-0000-c000-000000000000
. Application permissions under the appRoles
property correspond to Role
in --api-permissions. Delegated permissions under the oauth2Permissions
property correspond to Scope
in --api-permissions.
For details on Microsoft Graph permissions, see https://learn.microsoft.com/graph/permissions-reference.
az ad app permission add --api
--api-permissions
--id
Add Microsoft Graph delegated permission User.Read
az ad app permission add --id {appId} --api 00000003-0000-0000-c000-000000000000 --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope
Add Microsoft Graph application permission Application.ReadWrite.All
az ad app permission add --id {appId} --api 00000003-0000-0000-c000-000000000000 --api-permissions 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9=Role
RequiredResourceAccess.resourceAppId - The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.
Space-separated list of {id}={type}. {id} is resourceAccess.id - The unique identifier for one of the oauth2PermissionScopes or appRole instances that the resource application exposes. {type} is resourceAccess.type - Specifies whether the id property references an oauth2PermissionScopes or an appRole. The possible values are: Scope (for OAuth 2.0 permission scopes) or Role (for app roles).
Identifier uri, application id, or object id.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Grant Application & Delegated permissions through admin-consent.
You must login as a global administrator.
az ad app permission admin-consent --id
Grant Application & Delegated permissions through admin-consent. (autogenerated)
az ad app permission admin-consent --id 00000000-0000-0000-0000-000000000000
Identifier uri, application id, or object id.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Remove an API permission.
az ad app permission delete --api
--id
[--api-permissions]
Remove Microsoft Graph permissions.
az ad app permission delete --id eeba0b46-78e5-4a1a-a1aa-cafe6c123456 --api 00000003-0000-0000-c000-000000000000
Remove Microsoft Graph delegated permission User.Read
az ad app permission delete --id eeba0b46-78e5-4a1a-a1aa-cafe6c123456 --api 00000003-0000-0000-c000-000000000000 --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d
RequiredResourceAccess.resourceAppId - The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.
Identifier uri, application id, or object id.
Specify ResourceAccess.id
- The unique identifier for one of the OAuth2Permission or AppRole instances that the resource application exposes. Space-separated list of <resource-access-id>
.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Grant the app an API Delegated permissions.
A service principal must exist for the app when running this command. To create a corresponding service principal, use az ad sp create --id {appId}
.
For Application permissions, please use "ad app permission admin-consent".
az ad app permission grant --api,
--id,
--scope
[--consent-type {AllPrincipals, Principal}]
[--principal-id]
Grant a native application with permissions to access an existing API with TTL of 2 years
az ad app permission grant --id e042ec79-34cd-498f-9d9f-1234234 --api a0322f79-57df-498f-9d9f-12678 --scope Directory.Read.All
The id of the resource service principal to which access is authorized. This identifies the API which the client is authorized to attempt to call on behalf of a signed-in user.
The id of the client service principal for the application which is authorized to act on behalf of a signed-in user when accessing an API.
A space-separated list of the claim values for delegated permissions which should be included in access tokens for the resource application (the API). For example, openid User.Read GroupMember.Read.All. Each claim value should match the value field of one of the delegated permissions defined by the API, listed in the oauth2PermissionScopes property of the resource service principal.
Indicates whether authorization is granted for the client application to impersonate all users or only a specific user. 'AllPrincipals' indicates authorization to impersonate all users. 'Principal' indicates authorization to impersonate a specific user. Consent on behalf of all users can be granted by an administrator. Non-admin users may be authorized to consent on behalf of themselves in some cases, for some delegated permissions.
The id of the user on behalf of whom the client is authorized to access the resource, when consentType is 'Principal'. If consentType is 'AllPrincipals' this value is null. Required when consentType is 'Principal'.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
List API permissions the application has requested.
az ad app permission list --id
List the OAuth2 permissions for an application.
az ad app permission list --id e042ec79-34cd-498f-9d9f-1234234
Identifier uri, application id, or object id of the associated application.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
List Oauth2 permission grants.
az ad app permission list-grants [--filter]
[--id]
[--show-resource-name {false, true}]
list oauth2 permissions granted to the service principal
az ad app permission list-grants --id e042ec79-34cd-498f-9d9f-1234234123456
OData filter, e.g. --filter "displayname eq 'test' and servicePrincipalType eq 'Application'".
Identifier uri, application id, or object id.
Show resource's display name.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID
.
Increase logging verbosity. Use --debug for full debug logs.
Azure CLI feedback
Azure CLI is an open source project. Select a link to provide feedback: