Share via


az ad app permission

Manage an application's OAuth2 permissions.

Commands

Name Description Type Status
az ad app permission add

Add an API permission.

Core GA
az ad app permission admin-consent

Grant Application & Delegated permissions through admin-consent.

Core GA
az ad app permission delete

Remove an API permission.

Core GA
az ad app permission grant

Grant the app an API Delegated permissions.

Core GA
az ad app permission list

List API permissions the application has requested.

Core GA
az ad app permission list-grants

List Oauth2 permission grants.

Core GA

az ad app permission add

Add an API permission.

Invoking "az ad app permission grant" is needed to activate it.

To get available permissions of the resource app, run az ad sp show --id <resource-appId>. For example, to get available permissions for Microsoft Graph API, run az ad sp show --id 00000003-0000-0000-c000-000000000000. Application permissions under the appRoles property correspond to Role in --api-permissions. Delegated permissions under the oauth2Permissions property correspond to Scope in --api-permissions.

For details on Microsoft Graph permissions, see https://learn.microsoft.com/graph/permissions-reference.

az ad app permission add --api
                         --api-permissions
                         --id

Examples

Add Microsoft Graph delegated permission User.Read

az ad app permission add --id {appId} --api 00000003-0000-0000-c000-000000000000 --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope

Add Microsoft Graph application permission Application.ReadWrite.All

az ad app permission add --id {appId} --api 00000003-0000-0000-c000-000000000000 --api-permissions 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9=Role

Required Parameters

--api

RequiredResourceAccess.resourceAppId - The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.

--api-permissions

Space-separated list of {id}={type}. {id} is resourceAccess.id - The unique identifier for one of the oauth2PermissionScopes or appRole instances that the resource application exposes. {type} is resourceAccess.type - Specifies whether the id property references an oauth2PermissionScopes or an appRole. The possible values are: Scope (for OAuth 2.0 permission scopes) or Role (for app roles).

--id

Identifier uri, application id, or object id.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

Grant Application & Delegated permissions through admin-consent.

You must login as a global administrator.

az ad app permission admin-consent --id

Grant Application & Delegated permissions through admin-consent. (autogenerated)

az ad app permission admin-consent --id 00000000-0000-0000-0000-000000000000
--id

Identifier uri, application id, or object id.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az ad app permission delete

Remove an API permission.

az ad app permission delete --api
                            --id
                            [--api-permissions]

Examples

Remove Microsoft Graph permissions.

az ad app permission delete --id eeba0b46-78e5-4a1a-a1aa-cafe6c123456 --api 00000003-0000-0000-c000-000000000000

Remove Microsoft Graph delegated permission User.Read

az ad app permission delete --id eeba0b46-78e5-4a1a-a1aa-cafe6c123456 --api 00000003-0000-0000-c000-000000000000 --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d

Required Parameters

--api

RequiredResourceAccess.resourceAppId - The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.

--id

Identifier uri, application id, or object id.

Optional Parameters

--api-permissions

Specify ResourceAccess.id - The unique identifier for one of the OAuth2Permission or AppRole instances that the resource application exposes. Space-separated list of <resource-access-id>.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az ad app permission grant

Grant the app an API Delegated permissions.

A service principal must exist for the app when running this command. To create a corresponding service principal, use az ad sp create --id {appId}. For Application permissions, please use "ad app permission admin-consent".

az ad app permission grant --api,
                           --id,
                           --scope
                           [--consent-type {AllPrincipals, Principal}]
                           [--principal-id]

Examples

Grant a native application with permissions to access an existing API with TTL of 2 years

az ad app permission grant --id e042ec79-34cd-498f-9d9f-1234234 --api a0322f79-57df-498f-9d9f-12678 --scope Directory.Read.All

Required Parameters

--api, --resource-id

The id of the resource service principal to which access is authorized. This identifies the API which the client is authorized to attempt to call on behalf of a signed-in user.

--id, --client-id

The id of the client service principal for the application which is authorized to act on behalf of a signed-in user when accessing an API.

--scope

A space-separated list of the claim values for delegated permissions which should be included in access tokens for the resource application (the API). For example, openid User.Read GroupMember.Read.All. Each claim value should match the value field of one of the delegated permissions defined by the API, listed in the oauth2PermissionScopes property of the resource service principal.

Optional Parameters

--consent-type

Indicates whether authorization is granted for the client application to impersonate all users or only a specific user. 'AllPrincipals' indicates authorization to impersonate all users. 'Principal' indicates authorization to impersonate a specific user. Consent on behalf of all users can be granted by an administrator. Non-admin users may be authorized to consent on behalf of themselves in some cases, for some delegated permissions.

Accepted values: AllPrincipals, Principal
Default value: AllPrincipals
--principal-id

The id of the user on behalf of whom the client is authorized to access the resource, when consentType is 'Principal'. If consentType is 'AllPrincipals' this value is null. Required when consentType is 'Principal'.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az ad app permission list

List API permissions the application has requested.

az ad app permission list --id

Examples

List the OAuth2 permissions for an application.

az ad app permission list --id e042ec79-34cd-498f-9d9f-1234234

Required Parameters

--id

Identifier uri, application id, or object id of the associated application.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az ad app permission list-grants

List Oauth2 permission grants.

az ad app permission list-grants [--filter]
                                 [--id]
                                 [--show-resource-name {false, true}]

Examples

list oauth2 permissions granted to the service principal

az ad app permission list-grants --id e042ec79-34cd-498f-9d9f-1234234123456

Optional Parameters

--filter

OData filter, e.g. --filter "displayname eq 'test' and servicePrincipalType eq 'Application'".

--id

Identifier uri, application id, or object id.

--show-resource-name -r

Show resource's display name.

Accepted values: false, true
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.