Ability to Grant Permissions via API or Powershell

Azure AD allows you to create app registrations, define roles on them and give permissions to each other (as application identities). This way you can have a Web application talking to your API with its service principal and you can protect your API with roles.

Service Principal creation, role definition and permission assignment can be done through Portal, Powershell and API. But in order to make Application Permissions (which requires admin consent) work, you need someone with Global Administrator role to go to Azure Portal and click Grant Permissions button (or do the same thing via OAuth prompt on your web apps).

Right now there is no way to automatize Grant Permissions and it is a manual process at the moment. We confirmed this with the Microsoft Support and Product Teams as well.

If this can be managed via Powershell or API, we would like to include it in our Automation Runbooks and take the work load off of our security teams.

228 votes

Harun Legoz shared this idea · Sep 22, 2017 · Flag idea as inappropriate… · Admin →

under review ·

Azure AD Team responded · Nov 29, 2018

Thank you for the feedback! This is in the backlog and we are looking into this. We don’t have an ETA yet, but we will share once we have one. Please keep voting if this feature matters to you.

20 comments

An error occurred while saving the comment

Dmitry Serbin commented · February 2, 2021 7:45 PM · Flag as inappropriate

We also need this feature! Is there any update?

Submitting...
Charl commented · December 15, 2020 2:35 AM · Flag as inappropriate

I sometimes wish that MS stops building new stuff in Azure and AzureAD and first bring its APIs SDKs and modules and documentation in order.

Submitting...
Anonymous commented · August 28, 2020 4:41 AM · Flag as inappropriate

yes please - a set of commandlets to grant API permissions would be helpful

Submitting...
Claude Gex commented · June 16, 2020 7:08 AM · Flag as inappropriate

We managed to grant delegated permission via https://graph.microsoft.com/v1.0/oAuth2Permissiongrants

see https://docs.microsoft.com/en-us/graph/api/resources/oauth2permissiongrant?view=graph-rest-1.0

Application Roles can be add via https://graph.microsoft.com/v1.0/servicePrincipals/<service-principal-id>/appRoleAssignedTo or via https://docs.microsoft.com/en-us/graph/api/serviceprincipal-post-approleassignments?view=graph-rest-1.0&tabs=http

Submitting...
Majed commented · April 28, 2020 4:57 AM · Flag as inappropriate

Do we have any update on this?

Submitting...
Bill commented · April 24, 2020 1:57 AM · Flag as inappropriate

@Microsoft, heading for two years with no further update. What is the ETA on this?

Thanks

Submitting...
Stefan Buciu commented · March 19, 2020 7:32 AM · Flag as inappropriate

Hello there,

Any updates on this?

Best regards,
Stefan

Submitting...
Claude Gex commented · March 17, 2020 9:16 AM · Flag as inappropriate

Hi all

We are struggling with the exact same issue as Mats described.

@microsoft azure ad team: what is the current state?

Kind regards
Claude

Submitting...
Mike McAdams commented · March 14, 2020 1:22 PM · Flag as inappropriate

+1 on this ... need a way to write a test that enumerates all permission scopes (app and user) and then confirms the presence of a scope within the cloud at hand

Submitting...
Andy Ball commented · March 3, 2020 3:12 AM · Flag as inappropriate

Bump

Submitting...
Mats Magnem commented · February 7, 2020 4:29 AM · Flag as inappropriate

Hi all
Yo you know if this is possible yet? The Azure portal does this by the REST API, but when I try to do the same, I get that the api-version is wrong. I guess this is functionality Microsoft wants for themselves.

I have tried:
POST https://graph.windows.net/myorganization/consentToApp?api-version=2.0
With my valid access token and the proper request object containing app id, dynamicPermissions (roles and scopes) etc.

But it does not work. I have also swapped "myorganization" in the url with my tenantid (guid), like I do on other operations against the graph.windows.net API endpoint.

Any idea if the app-version 2.0 will be open to public?

Submitting...
Anonymous commented · December 14, 2019 6:21 AM · Flag as inappropriate

okk

Submitting...
Anonymous commented · December 5, 2019 5:12 PM · Flag as inappropriate

Hi there, any update on this?

Submitting...
Filip Van Raemdonck commented · April 18, 2019 12:52 AM · Flag as inappropriate

Hi,
Is it possible to do this via powershell already?

Submitting...
Alex Salter commented · October 5, 2018 5:23 AM · Flag as inappropriate

Please also consider providing a means to grant permissions through az as well.

Submitting...
Ben Hatton commented · September 19, 2018 9:29 PM · Flag as inappropriate

As a workaround, a module to invoke REST API has been contributed by Jos Lieben:

http://www.lieben.nu/liebensraum/2018/04/how-to-grant-oauth2-permissions-to-an-azure-ad-application-using-powershell-unattended-silently/

[apologies for previous now deleted post, didn't sufficiently read what I was suggesting]

Submitting...
anajafi commented · September 18, 2018 4:00 PM · Flag as inappropriate

do we have grant permissions for users via powershell yet?

Submitting...
Anonymous commented · September 6, 2018 7:11 AM · Flag as inappropriate

This feature will help us to complete our automation runbooks without any manual intervention.

Submitting...
Anonymous commented · August 29, 2018 5:41 AM · Flag as inappropriate

When can we expect Oauth2 grant permissions command through powershell?

Submitting...
Sebastian commented · July 5, 2018 12:34 AM · Flag as inappropriate

Still no cmdlet for that?

Submitting...