Add-AzADAppPermission
Adds an API permission.
Syntax
Add-AzADAppPermission
-ApiId <Guid>
-PermissionId <String>
-ObjectId <Guid>
[-Type <String>]
[-DefaultProfile <PSObject>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Add-AzADAppPermission
-ApiId <Guid>
-PermissionId <String>
[-Type <String>]
-ApplicationId <Guid>
[-DefaultProfile <PSObject>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
Adds an API permission. The list of available permissions of API is property of application represented by service principal in tenant.
For instance, to get available permissions for Graph API:
- Azure Active Directory Graph:
Get-AzAdServicePrincipal -ApplicationId 00001111-aaaa-2222-bbbb-3333cccc4444
- Microsoft Graph:
Get-AzAdServicePrincipal -ApplicationId 00001111-aaaa-2222-bbbb-3333cccc4444
Application permissions under the appRoles
property correspond to Role
in -Type
.
Delegated permissions under the oauth2Permissions
property correspond to Scope
in -Type
.
User needs to grant consent via Azure Portal if the permission requires admin consent because Azure PowerShell doesn't support it yet.
Examples
Example 1: Add API Permission
Add-AzADAppPermission -ObjectId 9cc74d5e-1162-4b90-8696-65f3d6a3f7d0 -ApiId 00001111-aaaa-2222-bbbb-3333cccc4444 -PermissionId 5f8c59db-677d-491f-a6b8-5f174b11ec1d
Add delegated permission "Group.Read.All" of Microsoft Graph API to AD Application (9cc74d5e-1162-4b90-8696-65f3d6a3f7d0)
Example 2: Add API Permission
Add-AzADAppPermission -ObjectId 9cc74d5e-1162-4b90-8696-65f3d6a3f7d0 -ApiId 00001111-aaaa-2222-bbbb-3333cccc4444 -PermissionId 1138cb37-bd11-4084-a2b7-9f71582aeddb -Type Role
Add application permission "Device.ReadWrite.All" of Microsoft Graph API to AD Application (9cc74d5e-1162-4b90-8696-65f3d6a3f7d0)
Parameters
-ApiId
The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.
Type: | Guid |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ApplicationId
The application Id.
Type: | Guid |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
Type: | PSObject |
Aliases: | AzContext, AzureRmContext, AzureCredential |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ObjectId
The unique identifier in Azure AD.
Type: | Guid |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-PermissionId
The unique identifier for one of the oauth2PermissionScopes or appRole instances that the resource application exposes.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Type
Specifies whether the id property references an oauth2PermissionScopes(Scope, delegated permission) or an appRole(Role, application permission).
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Outputs
Azure PowerShell