New-AzureADMSPermissionGrantConditionSet
Create a new Azure Active Directory permission grant condition set in a given policy.
Syntax
Default (Default)
New-AzureADMSPermissionGrantConditionSet
-PolicyId <String>
-ConditionSetType <String>
[-PermissionType <String>]
[-PermissionClassification <String>]
[-ResourceApplication <String>]
[-Permissions <System.Collections.Generic.List`1[System.String]>]
[-ClientApplicationIds <System.Collections.Generic.List`1[System.String]>]
[-ClientApplicationTenantIds <System.Collections.Generic.List`1[System.String]>]
[-ClientApplicationPublisherIds <System.Collections.Generic.List`1[System.String]>]
[-ClientApplicationsFromVerifiedPublisherOnly <Boolean>]
[<CommonParameters>]
Description
Create a new Azure Active Directory permission grant condition set object in an existing policy.
Examples
Example 1: Create a basic permission grant condition set in an existing policy with all build in values
New-AzureADMSPermissionGrantConditionSet -PolicyId "test1" -ConditionSetType "includes" -PermissionType "delegated"
Id : cab65448-9ec4-43a5-b575-d1f4d32fefa5
PermissionType : delegated
PermissionClassification : all
ResourceApplication : any
Permissions : {all}
ClientApplicationIds : {all}
ClientApplicationTenantIds : {all}
ClientApplicationPublisherIds : {all}
ClientApplicationsFromVerifiedPublisherOnly : False
Example 2: Create a permission grant condition set in an existing policy that includes specific permissions for a resource application
New-AzureADMSPermissionGrantConditionSet -PolicyId "test1" -ConditionSetType "includes" -PermissionType "delegated" -Permissions @("8b590330-0eb2-45d0-baca-a00ecf7e7b87", "dac1c8fa-e6e4-47b8-a128-599660b8cd5c", "f6db0cc3-88cd-4c74-a374-3d8c7cc4c50b") -ResourceApplication "ec8d61c9-1cb2-4edb-afb0-bcda85645555"
Id : 64032dc4-8423-4fd7-930c-a9ed3bb1dbb4
PermissionType : delegated
PermissionClassification : all
ResourceApplication : ec8d61c9-1cb2-4edb-afb0-bcda85645555
Permissions : {8b590330-0eb2-45d0-baca-a00ecf7e7b87, dac1c8fa-e6e4-47b8-a128-599660b8cd5c
f6db0cc3-88cd-4c74-a374-3d8c7cc4c50b}
ClientApplicationIds : {all}
ClientApplicationTenantIds : {all}
ClientApplicationPublisherIds : {all}
ClientApplicationsFromVerifiedPublisherOnly : False
Example 3: Create a permission grant condition set in an existing policy that is excluded
New-AzureADMSPermissionGrantConditionSet -PolicyId "test1" -ConditionSetType "excludes" -PermissionType "delegated" -Permissions @("8b590330-0eb2-45d0-baca-a00ecf7e7b87", "dac1c8fa-e6e4-47b8-a128-599660b8cd5c", "f6db0cc3-88cd-4c74-a374-3d8c7cc4c50b") -ResourceApplication "ec8d61c9-1cb2-4edb-afb0-bcda85645555" -PermissionClassification "low" -ClientApplicationsFromVerifiedPublisherOnly $true -ClientApplicationIds @("00001111-aaaa-2222-bbbb-3333cccc4444", "11112222-bbbb-3333-cccc-4444dddd5555") -ClientApplicationTenantIds @("aaaabbbb-0000-cccc-1111-dddd2222eeee", "bbbbcccc-1111-dddd-2222-eeee3333ffff", "ccccdddd-2222-eeee-3333-ffff4444aaaa") -ClientApplicationPublisherIds @("verifiedpublishermpnid")
Id : 0f81cce0-a766-4db6-a7e2-4e5f10f6abf8
PermissionType : delegated
PermissionClassification : low
ResourceApplication : ec8d61c9-1cb2-4edb-afb0-bcda85645555
Permissions : {8b590330-0eb2-45d0-baca-a00ecf7e7b87, dac1c8fa-e6e4-47b8-a128-599660b8cd5c,
f6db0cc3-88cd-4c74-a374-3d8c7cc4c50b}
ClientApplicationIds : {00001111-aaaa-2222-bbbb-3333cccc4444, 11112222-bbbb-3333-cccc-4444dddd5555}
ClientApplicationTenantIds : {aaaabbbb-0000-cccc-1111-dddd2222eeee, bbbbcccc-1111-dddd-2222-eeee3333ffff, ccccdddd-2222-eeee-3333-ffff4444aaaa}
ClientApplicationPublisherIds : {verifiedpublishermpnid}
ClientApplicationsFromVerifiedPublisherOnly : True
Parameters
-ClientApplicationIds
The set of client application ids to scope consent operation down to.
It could be @("All") or a list of client application Ids.
Note
There is a hard limit of 100 Application IDs that can be added per tenant.
Parameter properties
Type: List<T> [ String ]
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ClientApplicationPublisherIds
The set of client applications publisher ids to scope consent operation down to.
It could be @("All") or a list of client application publisher ids.
Parameter properties
Type: List<T> [ String ]
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ClientApplicationsFromVerifiedPublisherOnly
A value indicates whether to only includes client applications from verified publishers.
Parameter properties
Type: Boolean
Default value: False Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ClientApplicationTenantIds
The set of client application tenant ids to scope consent operation down to.
It could be @("All") or a list of client application tenant ids.
Parameter properties
Type: List<T> [ String ]
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ConditionSetType
The value indicates whether the condition sets are included in the policy or excluded.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: True Value from pipeline: True Value from pipeline by property name: True Value from remaining arguments: False
-PermissionClassification
Specific classification (all, low, medium, high) to scope consent operation down to.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Permissions
The identifier of the resource application to scope consent operation down to.
It could be @("All") or a list of permission ids.
Parameter properties
Type: List<T> [ String ]
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-PermissionType
Specific type of permissions (application, delegated) to scope consent operation down to.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-PolicyId
The unique identifier of an Azure Active Directory permission grant policy object.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: True Value from pipeline: True Value from pipeline by property name: True Value from remaining arguments: False
-ResourceApplication
The identifier of the resource application to scope consent operation down to.
It could be "Any" or a specific resource application id.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters .
string
string
Outputs
Microsoft.Open.MSGraph.Model.PermissionGrantConditionSet