Graph SDK: Permissions
This blog is the part 3 of the serie: getting started with the PowerShell Graph SDK
After installing and authenticating to the module we will be covering how to manage the permissions.
As explained in my previous blog, you can authenticate either using delegated permissions: best for interactive sessions and supports strong authentications such as passwordless/MFA or using application permissions, best for unattended sessions and authentications using certificates and service principals.
The permissions will be managed according to the type of session:
A- delegated permission
We are interacting with the built-in graph application on your AAD tenant.
It can be found in the azure portal under Enterprise applications > Microsoft Graph PowerShell with the id 14d82eec-204b-4c2f-b7e8-296a70dab67e
You'll find the existing permissions under Permissions in the Security section.
There are 2 tabs available: Admin consent and User consent
Admin consent refers to permissions approved by an administrator and apply to all users in the tenant with access to the application.
User consent refers to permissions a user have granted to themselves. These permissions are scoped to what they currently have access to.
Some permissions are only accessible after admin consent
The easy way for a user to add and consent permission to the Grapdh SDK module is to use:
Connect-MgGraph -Scope <permissions>
To retrieve delegated permissions using PowerShell use
The below sample will retrieve all delegated permissions for the Graph SDK application:
$graphSDK = Get-MgServicePrincipal -filter "appid eq '14d82eec-204b-4c2f-b7e8-296a70dab67e'" $userConsents = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $graphSDK.id
1- Always try to use server side filtering by using the -filter for better performance. 2- Don't be confused, the server-side filter uses odata filter queries
1- You should control who can use the Graph SDK application in your organisation:
1- Set Assignment required? to Yes
2- Assign the application to the relevant group/users
2- Restrict who can consent to application, if your environment allows it from the below policy
3- Use least privilege for your admins using cloud application administrator or application administrator rather than global admin and try to delegate admin consent to group owners if possible.
B- Application permissions
As mentioned previously, application permissions are managed using a Service Principal (SP)
To retrieve those permissions from the Azure portal > app registration > Select your SP
(In my case M365DSC 😎)
Under API Permissions
To add or remove a permission: press Add a permission and select Microsoft Graph
Choose Application permissions
and select/unselect the relevant permissions
To retrieve application permissions for your Service Principal with PowerShell use Get-MgServicePrincipalAppRoleAssignment
The below sample will retrieve all application permissions for my Service Principal:
$graphSDK = Get-MgServicePrincipal -filter "displayName eq 'M365DSC'" $userConsents = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $graphSDK.id
C- Find the right cmdlet and permissions
After understanding how to assign permissions we now need to find out what cmdlet and permissions we need.
We first need to find out which cmdlet we will use. Some are no brainers -
Get-MgUser , Get-MgApplication and so forth
But some are more tricky to find out due to many reasons like legacy name for example.
This is my steps to get started with my project:
1- I would use the Developer tool on Edge or Chrome and retrieve, from the network analyser, the header to identify the command used.
Intune for example is completely based on the Graph API (beta version)
I would extract 2 information from the header:
deviceManagement and groupPolicyConfigurations where
deviceManagement is the namespace
groupPolicyConfigurations is my entity
2 - I then would use Get-Command to find my SDK cmdlet - Don't forget to remove the plural as cmdlet nouns are always singular
Get-Command -name Get-Mg*groupPolicyConfiguration* | Format-Table -Autosize
The cmdlet is formed as Get/Set/Update/Remove-<namespace><entity>
3- The API documentation will give you all details and methods available
4- Use Find-MgGraphCommand to retrieve the permissions
(Find-MgGraphCommand -Command Get-MgDeviceManagementGroupPolicyConfiguration -ApiVersion beta).Permissions
Try again to apply least privilege: if I just want to read information from the policy DeviceManagementConfiguration.Read.All is sufficient
D - Scripts
If you made it up to here you deserve a treat!
I have prepared 4 scripts for you to retrieve delegated and application permissions assigned to the Graph SDK application and your Service Principal or any other applications and export them to a JSON report. You can also use that report to update those permissions
Use the Update scripts with cautions as I have developed them more like a Desired State Configuration ie the JSON file would be the source of control and will remove/add any permissions not assigned in the JSON!
2- Update-GraphSDKDelegatedPermission.ps1 (Use with caution!)
4- Update-GraphSDKApplicationPermission.ps1 (Use with caution!)
Happy PowerShelling 💪