Add-EntraServicePrincipalDelegatedPermissionClassification

Module:

Microsoft.Graph.Entra

Add a classification for a delegated permission.

Syntax

Add-EntraServicePrincipalDelegatedPermissionClassification
   -ServicePrincipalId <String>
   -PermissionId <String>
   -Classification <ClassificationEnum>
   -PermissionName <String>
   [<CommonParameters>]

Description

The Add-EntraServicePrincipalDelegatedPermissionClassification cmdlet creates a delegated permission classification for the given permission on service principal.

Examples

Example 1: Create Delegated Permission Classification

Connect-Entra -Scopes 'Policy.ReadWrite.PermissionGrant'
$ServicePrincipal = Get-EntraServicePrincipal -Filter "DisplayName eq '<service-principal-display-name>'"
$PermissionId = $ServicePrincipal.PublishedPermissionScopes[0].Id
$PermissionName =  $ServicePrincipal.PublishedPermissionScopes[0].Value

$params = @{
    ServicePrincipalId = $ServicePrincipal.ObjectId
    PermissionId = $PermissionId
    Classification = 'Low'
    PermissionName = $PermissionName
}

Add-EntraServicePrincipalDelegatedPermissionClassification @params

Id                      Classification PermissionId                         PermissionName
--                      -------------- ------------                         --------------
T2qU_E28O0GgkLLIYRPsTwE low            fc946a4f-bc4d-413b-a090-b2c86113ec4f LicenseManager.AccessAsUser

This command creates a delegated permission classification for the given permission on the service principal. You can use the command Get-EntraServicePrincipal to get service principal ID.

• -ServicePrincipalId parameter specifies the unique identifier of a service principal.
• -PermissionId parameter specifies the ID for a delegated permission.
• -Classification parameter specifies the classification for a delegated permission.
• -PermissionName parameter specifies the name for a delegated permission.

Parameters

-Classification

The classification for a delegated permission. This parameter can take one of the following values:

• Low: Specifies a classification for a permission as low impact.

• Medium: Specifies a classification for a permission as medium impact.

• High: Specifies a classification for a permission as high impact.

Type:	ClassificationEnum
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	False
Accept wildcard characters:	False

-PermissionId

The ID for a delegated permission.

Type:	System.String
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	False
Accept wildcard characters:	False

-PermissionName

The name for a delegated permission.

Type:	System.String
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	False
Accept wildcard characters:	False

-ServicePrincipalId

The unique identifier of a service principal object in Microsoft Entra ID.

Type:	System.String
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	True
Accept wildcard characters:	False

Outputs

Microsoft.Online.Administration.DelegatedPermissionClassification

Related Links

• Get-EntraServicePrincipalDelegatedPermissionClassification
• Remove-EntraServicePrincipalDelegatedPermissionClassification