This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 71%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELC%3C/text%3E%3C/svg%3E)
I'm trying to upload some api permission to my app registration in Azure, but I don't get why for some the process work and for others no.
$svcGraph = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }
$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Graph.ResourceAppId = $svcGraph.AppId
$delPermission1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "df021288-bdef-4463-88db-98f22de89214","Scope"
$delPermission2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d","Scope"
$Graph.ResourceAccess = $delPermission1, $delPermission2
Set-AzureADApplication -ObjectId $MyAppObjectId -RequiredResourceAccess $Graph
User.read (delPermission2) work, but User.Read.All (delPermission1) don't, and I don't understand why.
I tried multiple permission, but just User.read worked, here are the id and value:
741f803b-c850-494e-b5df-cde7c675a1ca User.ReadWrite.All
83cded22-8297-4ff6-a7fa-e97e9545a259 Presence.ReadWrite.All
810c84a8-4a9e-49e6-bf7d-12d183f40d01 Mail.Read
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 7.000000000000001%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
Hi @Lorenzo Cacciola , Can you please check if you are using the correct ID's for the permissions for uploading via powershell to azure AD.
Please refer this Document for getting to know on how to assign more permissions to azure AD via powershell.
You might need to have a look at the Microsoft Graph permissions reference. If only Id is visible it might be due to the different Access scenarios on the Group resource.
As a best practice, request the least privileged permissions that your app needs in order to access data and function correctly. Requesting permissions with more than the necessary privileges is poor security practice, which may cause users to refrain from consenting and affect your app's usage.
The below article shows the permissions that an app needs to be able to perform specific operations required by the scenario. Note that in some cases the ability of the app to perform specific operations will depend on whether permission is an application or delegated permission.
https://learn.microsoft.com/en-us/graph/permissions-reference
Hope this resolves your Query!!
--
--If the reply is helpful, please Upvote and Accept it as an answer–
