Adding Scopes to Azure AD Application with Powershell (Expose an API)

Jens Breidenstein 21 Reputation points
2023-01-13T17:31:39.29+00:00

Hi,

I'd like to add a Scope to an Azure AD App / Service Principal (UI=Expose an API) with Powershell.

$app = New-MgApplication -DisplayName $name -SignInAudience "AzureADMyOrg"
Update-MgApplication -ApplicationId $app.id -IdentifierUris @("api://$($app.AppId)")

$oauth_permission_scopes = @{
        AdminConsentDescription = "admin desc"
        AdminConsentDisplayName = "admin name"
        Type = "Admin"
        Value = "Read.all"
        Id = $([guid]::NewGuid())
    }
$sp = New-MgServicePrincipal -AppId $app.AppId -Notes $description -Tags @("HideApp","WindowsAzureActiveDirectoryIntegratedApp")  #HideApp=VisibleToUsers
Update-MgServicePrincipal -ServicePrincipalId $sp.Id -Oauth2PermissionScopes $oauth_permission_scopes

But i get the message:

Update-MgServicePrincipal_UpdateExpanded1: Property 'oauth2PermissionScopes' is read-only and cannot be set.

Can this only be added in the UI?!


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,170 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Vasil Michev 113.4K Reputation points MVP
    2023-01-13T18:47:34.2466667+00:00

    You cannot update this property directly. Instead, you need to call the PATCH method on the /oauth2PermissionGrants endpoint, referencing the specific grant ID. In PowerShell, this is done via the Update-MgOauth2PermissionGrant cmdlet.

    Here's an example. First, get the current set of grants:

    Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $sp.id

    Once you have the ID of the grant matching the desired resource, PATCH it:

    Update-MgOauth2PermissionGrant -OAuth2PermissionGrantId 4a5jKhfbnUioq9QJcQZikohlrhELZBpBiBJr-xJXoOA -Scope "Mail.Read.Shared User.Read User.ReadBasic.All"

    It helps to refer to the Graph documentation on this. As you can see, there is no PATCH method under the /servicePrincipals endpoint > Delegated permissions grant (i.e. [https://learn.microsoft.com/en-us/graph/api/resources/oauth2permissiongrant?view=graph-rest-beta). Instead, you are referred to the PATCH method for the /oauth2PermissionGrants endpoint ([https://learn.microsoft.com/en-us/graph/api/oauth2permissiongrant-update?view=graph-rest-beta&tabs=http).


  2. Jens Breidenstein 21 Reputation points
    2023-01-14T07:35:53.8066667+00:00

    Not the ServicePrincipal but the Application Registration should be updated:

    $api = @{
        oauth2PermissionScopes = @(
            @{
            AdminConsentDescription = "admin desc"
            AdminConsentDisplayName = "admin name"
            Type = "Admin"
            Value = "Read.all"
            Id = $([guid]::NewGuid())
        }
        )
    }
    
    Update-MgApplication -ApplicationId $app.id -Api $api
    

    see: [https://stackoverflow.com/questions/75112560/adding-scopes-to-azure-ad-application-with-powershell-expose-an-api


  3. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,491 Reputation points
    2023-01-23T17:21:24.79+00:00

    Hello and hanks for self-solving your issue @Jens Breidenstein . As you have found, custom API scopes are mastered in the application object. You get the read-only error when attempting to update the servicePrincipal since permissions are intended to be inherited from the application.

    We will update our documentation to better reflect the aforementioned.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.