Graph SDK: Permissions

This blog is the part 3 of the serie: getting started with the PowerShell Graph SDK

After installing and authenticating to the module we will be covering how to manage the permissions.

As explained in my previous blog, you can authenticate either using delegated permissions: best for interactive sessions and supports strong authentications such as passwordless/MFA or using application permissions, best for unattended sessions and authentications using certificates and service principals.

The permissions will be managed according to the type of session:

A- delegated permission

We are interacting with the built-in graph application on your AAD tenant.

It can be found in the azure portal under Enterprise applications > Microsoft Graph PowerShell with the id 14d82eec-204b-4c2f-b7e8-296a70dab67e

You'll find the existing permissions under Permissions in the Security section.

There are 2 tabs available: Admin consent and User consent

Admin consent refers to permissions approved by an administrator and apply to all users in the tenant with access to the application.

User consent refers to permissions a user have granted to themselves. These permissions are scoped to what they currently have access to.

Some permissions are only accessible after admin consent

The easy way for a user to add and consent permission to the Grapdh SDK module is to use:

Connect-MgGraph -Scope <permissions> 

To retrieve delegated permissions using PowerShell use

Get-MgServicePrincipalOauth2PermissionGrant

The below sample will retrieve all delegated permissions for the Graph SDK application:

$graphSDK = Get-MgServicePrincipal -filter "appid eq '14d82eec-204b-4c2f-b7e8-296a70dab67e'"

$userConsents = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $graphSDK.id

1- Always try to use server side filtering by using the -filter for better performance. 2- Don't be confused, the server-side filter uses odata filter queries

Security tips

1- You should control who can use the Graph SDK application in your organisation:

1- Set Assignment required? to Yes

2- Assign the application to the relevant group/users

2- Restrict who can consent to application, if your environment allows it from the below policy

3- Use least privilege for your admins using cloud application administrator or application administrator rather than global admin and try to delegate admin consent to group owners if possible.

B- Application permissions

As mentioned previously, application permissions are managed using a Service Principal (SP)

To retrieve those permissions from the Azure portal > app registration > Select your SP

(In my case M365DSC 😎)

Under API Permissions

To add or remove a permission: press Add a permission and select Microsoft Graph

Choose Application permissions

and select/unselect the relevant permissions

To retrieve application permissions for your Service Principal with PowerShell use Get-MgServicePrincipalAppRoleAssignment

The below sample will retrieve all application permissions for my Service Principal:

$graphSDK = Get-MgServicePrincipal -filter "displayName eq 'M365DSC'"

$userConsents = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $graphSDK.id

C- Find the right cmdlet and permissions

After understanding how to assign permissions we now need to find out what cmdlet and permissions we need.

We first need to find out which cmdlet we will use. Some are no brainers -

Get-MgUser , Get-MgApplication and so forth

But some are more tricky to find out due to many reasons like legacy name for example.

This is my steps to get started with my project:

1- I would use the Developer tool on Edge or Chrome and retrieve, from the network analyser, the header to identify the command used.

Intune for example is completely based on the Graph API (beta version)

I would extract 2 information from the header:

deviceManagement and groupPolicyConfigurations where

• deviceManagement is the namespace

• groupPolicyConfigurations is my entity

2 - I then would use Get-Command to find my SDK cmdlet - Don't forget to remove the plural as cmdlet nouns are always singular

Get-Command -name Get-Mg*groupPolicyConfiguration* | Format-Table -Autosize

The cmdlet is formed as Get/Set/Update/Remove-<namespace><entity>

3- The API documentation will give you all details and methods available

groupPolicyConfiguration resource type - Microsoft Graph beta | Microsoft Learn

4- Use Find-MgGraphCommand to retrieve the permissions

 (Find-MgGraphCommand -Command Get-MgDeviceManagementGroupPolicyConfiguration -ApiVersion beta).Permissions 

Try again to apply least privilege: if I just want to read information from the policy DeviceManagementConfiguration.Read.All is sufficient

5- Reference

• Microsoft Rest API Graph overview - Microsoft Graph | Microsoft Learn

• Microsoft Graph PowerShell SDK overview | Microsoft Learn

• Microsoft Graph permissions reference - Microsoft Graph | Microsoft Learn

• Use the filter query parameter to filter a collection of objects - Microsoft Graph | Microsoft Learn

D - Scripts

If you made it up to here you deserve a treat!

I have prepared 4 scripts for you to retrieve delegated and application permissions assigned to the Graph SDK application and your Service Principal or any other applications and export them to a JSON report. You can also use that report to update those permissions

Use the Update scripts with cautions as I have developed them more like a Desired State Configuration ie the JSON file would be the source of control and will remove/add any permissions not assigned in the JSON!

1- Export-GraphSDKDelegatedPermission.ps1

2- Update-GraphSDKDelegatedPermission.ps1 (Use with caution!)

3- Export-GraphSDKApplicationPermission.ps1

4- Update-GraphSDKApplicationPermission.ps1 (Use with caution!)

Happy PowerShelling 💪