az ad app permission
Manage an application's OAuth2 permissions.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az ad app permission add |
Add an API permission. |
Core | GA |
| az ad app permission admin-consent |
Grant Application & Delegated permissions through admin-consent. |
Core | GA |
| az ad app permission delete |
Remove an API permission. |
Core | GA |
| az ad app permission grant |
Grant the app an API Delegated permissions. |
Core | GA |
| az ad app permission list |
List API permissions the application has requested. |
Core | GA |
| az ad app permission list-grants |
List Oauth2 permission grants. |
Core | GA |
az ad app permission add
Add an API permission.
Invoking "az ad app permission grant" is needed to activate it.
To get available permissions of the resource app, run az ad sp show --id <resource-appId>. For example, to get available permissions for Microsoft Graph API, run az ad sp show --id 00000003-0000-0000-c000-000000000000. Application permissions under the appRoles property correspond to Role in --api-permissions. Delegated permissions under the oauth2Permissions property correspond to Scope in --api-permissions.
For details on Microsoft Graph permissions, see https://learn.microsoft.com/graph/permissions-reference.
az ad app permission add --api
--api-permissions
--idExamples
Add Microsoft Graph delegated permission User.Read
az ad app permission add --id {appId} --api 00000003-0000-0000-c000-000000000000 --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=ScopeAdd Microsoft Graph application permission Application.ReadWrite.All
az ad app permission add --id {appId} --api 00000003-0000-0000-c000-000000000000 --api-permissions 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9=RoleRequired Parameters
RequiredResourceAccess.resourceAppId - The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.
Space-separated list of {id}={type}. {id} is resourceAccess.id - The unique identifier for one of the oauth2PermissionScopes or appRole instances that the resource application exposes. {type} is resourceAccess.type - Specifies whether the id property references an oauth2PermissionScopes or an appRole. The possible values are: Scope (for OAuth 2.0 permission scopes) or Role (for app roles).
Identifier uri, application id, or object id.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az ad app permission admin-consent
Grant Application & Delegated permissions through admin-consent.
You must login as a global administrator.
az ad app permission admin-consent --idExamples
Grant Application & Delegated permissions through admin-consent. (autogenerated)
az ad app permission admin-consent --id 00000000-0000-0000-0000-000000000000Required Parameters
Identifier uri, application id, or object id.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az ad app permission delete
Remove an API permission.
az ad app permission delete --api
--id
[--api-permissions]Examples
Remove Microsoft Graph permissions.
az ad app permission delete --id eeba0b46-78e5-4a1a-a1aa-cafe6c123456 --api 00000003-0000-0000-c000-000000000000Remove Microsoft Graph delegated permission User.Read
az ad app permission delete --id eeba0b46-78e5-4a1a-a1aa-cafe6c123456 --api 00000003-0000-0000-c000-000000000000 --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683dRequired Parameters
RequiredResourceAccess.resourceAppId - The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.
Identifier uri, application id, or object id.
Optional Parameters
Specify ResourceAccess.id - The unique identifier for one of the OAuth2Permission or AppRole instances that the resource application exposes. Space-separated list of <resource-access-id>.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az ad app permission grant
Grant the app an API Delegated permissions.
A service principal must exist for the app when running this command. To create a corresponding service principal, use az ad sp create --id {appId}.
For Application permissions, please use "ad app permission admin-consent".
az ad app permission grant --api,
--id,
--scope
[--consent-type {AllPrincipals, Principal}]
[--principal-id]Examples
Grant a native application with permissions to access an existing API with TTL of 2 years
az ad app permission grant --id e042ec79-34cd-498f-9d9f-1234234 --api a0322f79-57df-498f-9d9f-12678 --scope Directory.Read.AllRequired Parameters
The id of the resource service principal to which access is authorized. This identifies the API which the client is authorized to attempt to call on behalf of a signed-in user.
The id of the client service principal for the application which is authorized to act on behalf of a signed-in user when accessing an API.
A space-separated list of the claim values for delegated permissions which should be included in access tokens for the resource application (the API). For example, openid User.Read GroupMember.Read.All. Each claim value should match the value field of one of the delegated permissions defined by the API, listed in the oauth2PermissionScopes property of the resource service principal.
Optional Parameters
Indicates whether authorization is granted for the client application to impersonate all users or only a specific user. 'AllPrincipals' indicates authorization to impersonate all users. 'Principal' indicates authorization to impersonate a specific user. Consent on behalf of all users can be granted by an administrator. Non-admin users may be authorized to consent on behalf of themselves in some cases, for some delegated permissions.
The id of the user on behalf of whom the client is authorized to access the resource, when consentType is 'Principal'. If consentType is 'AllPrincipals' this value is null. Required when consentType is 'Principal'.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az ad app permission list
List API permissions the application has requested.
az ad app permission list --idExamples
List the OAuth2 permissions for an application.
az ad app permission list --id e042ec79-34cd-498f-9d9f-1234234Required Parameters
Identifier uri, application id, or object id of the associated application.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az ad app permission list-grants
List Oauth2 permission grants.
az ad app permission list-grants [--filter]
[--id]
[--show-resource-name {false, true}]Examples
list oauth2 permissions granted to the service principal
az ad app permission list-grants --id e042ec79-34cd-498f-9d9f-1234234123456Optional Parameters
OData filter, e.g. --filter "displayname eq 'test' and servicePrincipalType eq 'Application'".
Identifier uri, application id, or object id.
Show resource's display name.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
