Hi @Debarghya Maity ,
To create an access policy for using an app on behalf of a user at an organizational level, you can follow these steps:
- Connect to Microsoft Graph PowerShell using the least-privilege permission needed. For creating access policies, use Policy.ReadWrite.ApplicationConfiguration.
Connect-MgGraph -Scopes "Policy.ReadWrite.ApplicationConfiguration"
- Create a new access policy using the
New-MgPolicyApplicationAccessPolicy
cmdlet. You will need to specify the following parameters:
-
DisplayName
: The display name of the access policy. -
Description
: A description of the access policy. -
AppId
: The ID of the app that the access policy applies to. -
IsEnabled
: Whether the access policy is enabled or disabled. -
AccessRight
: The access right that the access policy grants. In this case, you will want to useApplication<a href="#doc-pos=2" data-tag-index="1"></a><a href="#doc-pos=1" data-tag-index="3"></a></span>
. -
Condition
: The condition that must be met for the access policy to apply. In this case, you will want to useUserConsent
.
Here is an example command:
New-MgPolicyApplicationAccessPolicy -DisplayName "My Access Policy" -Description "Allows users to use the app on behalf of themselves" -AppId "{app-id}" -IsEnabled $true -AccessRight Application -Condition UserConsent
Replace {app-id}
with the ID of the app that you want to create the access policy for.
- Once the access policy has been created, you can assign it to users or groups using the
Add-MgPolicyApplicationAccessPolicyAssignment
cmdlet. You will need to specify the following parameters:
-
PolicyId
: The ID of the access policy that you want to assign. -
PrincipalId
: The ID of the user or group that you want to assign the access policy to. -
PrincipalType
: The type of the principal. In this case, you will want to useGroup
orUser
. -
TargetType
: The type of the target. In this case, you will want to useApplication<a href="#doc-pos=2" data-tag-index="1"></a><a href="#doc-pos=1" data-tag-index="3"></a>
.
Add-MgPolicyApplicationAccessPolicyAssignment -PolicyId "{policy-id}" -PrincipalId "{user-or-group-id}" -PrincipalType User -TargetType Application
Replace {policy-id}
with the ID of the access policy that you created, and {user-or-group-id}
with the ID of the user or group that you want to assign the access policy to.
Once you have assigned the access policy to the appropriate users or groups, they should be able to use the app on behalf of themselves.
Please let me know if you have any questions and I can help you further.
If this answer helps you please mark "Accept Answer" so other users can reference it.
Thank you,
James