Set-EntraPermissionGrantConditionSet
Update an existing Microsoft Entra ID permission grant condition set.
Syntax
Set-EntraPermissionGrantConditionSet
-ConditionSetType <String>
-Id <String>
-PolicyId <String>
[-Permissions <System.Collections.Generic.List`1[System.String]>]
[-ClientApplicationTenantIds <System.Collections.Generic.List`1[System.String]>]
[-ClientApplicationIds <System.Collections.Generic.List`1[System.String]>]
[-ResourceApplication <String>]
[-PermissionType <String>]
[-PermissionClassification <String>]
[-ClientApplicationsFromVerifiedPublisherOnly <Boolean>]
[-ClientApplicationPublisherIds <System.Collections.Generic.List`1[System.String]>]
[<CommonParameters>]
Description
Updates a Microsoft Entra ID permission grant condition set object identified by Id.
Examples
Example 1: Update a permission grant condition set to includes permissions that is classified as low
Connect-Entra -Scopes 'Policy.ReadWrite.PermissionGrant'
$permissionGrantPolicyId = 'policy1'
$params = @{
PolicyId = $permissionGrantPolicyId
ConditionSetType = 'includes'
Id = 'aaaa0000-bb11-2222-33cc-444444dddddd'
PermissionClassification = 'low'
}
Set-EntraPermissionGrantConditionSet @params
This command updates sets the specified permission grant set to classify as low.
-PolicyId
parameter specifies the unique identifier of a permission grant policy.-ConditionSetType
parameter indicates whether the condition sets are included in the policy or excluded.-Id
parameter specifies the unique identifier of a permission grant condition set object.-PermissionClassification
parameter specifies the specific classification (all, low, medium, high) to scope consent operation down to.
Example 2: Update a permission grant condition set
Connect-Entra -Scopes 'Policy.ReadWrite.PermissionGrant'
$permissionGrantPolicyId = 'policy1'
$params = @{
PolicyId = $permissionGrantPolicyId
ConditionSetType = 'includes'
Id = 'aaaa0000-bb11-2222-33cc-444444dddddd'
PermissionType = 'delegated'
PermissionClassification = 'low'
ResourceApplication = 'a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1'
Permissions = @('All')
ClientApplicationIds = @('All')
ClientApplicationTenantIds = @('All')
ClientApplicationPublisherIds = @('All')
ClientApplicationsFromVerifiedPublisherOnly = $true
}
Set-EntraPermissionGrantConditionSet @params
This command updates sets the specified permission grant set.
-PolicyId
parameter specifies the unique identifier of a permission grant policy.-ConditionSetType
parameter indicates whether the condition sets are included in the policy or excluded.-Id
parameter specifies the unique identifier of a permission grant condition set object.-PermissionType
parameter specifies the type of permissions (application, delegated) to scope consent operation down to.-PermissionClassification
parameter specifies the specific classification (all, low, medium, high) to scope consent operation down to.-ResourceApplication
parameter specifies identifier of the resource application to scope consent operation down to. It could be "Any" or a specific resource application ID.-Permissions
parameter specifies the identifier of the resource application to scope consent operation down to. It could be @("All") or a list of permission IDs.-ClientApplicationIds
parameter specifies the set of client application IDs to scope consent operation down to. It could be @("All") or a list of client application IDs.-ClientApplicationTenantIds
parameter specifies the set of client applications publisher IDs to scope consent operation down to. It could be @("All") or a list of client application publisher IDs.-ClientApplicationPublisherIds
parameter specifies the set of client applications publisher IDs to scope consent operation down to. It could be @("All") or a list of client application publisher IDs.-ClientApplicationsFromVerifiedPublisherOnly
parameter indicates whether to only includes client applications from verified publishers.
Parameters
-ClientApplicationIds
The set of client application IDs to scope consent operation down to. It could be @("All") or a list of client application IDs.
Type: | System.Collections.Generic.List`1[System.String] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ClientApplicationPublisherIds
The set of client applications publisher IDs to scope consent operation down to. It could be @("All") or a list of client application publisher IDs.
Type: | System.Collections.Generic.List`1[System.String] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ClientApplicationsFromVerifiedPublisherOnly
A value indicates whether to only includes client applications from verified publishers.
Type: | System.Boolean |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ClientApplicationTenantIds
The set of client application tenant IDs to scope consent operation down to. It could be @("All") or a list of client application tenant IDs.
Type: | System.Collections.Generic.List`1[System.String] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ConditionSetType
The value indicates whether the condition sets are included in the policy or excluded.
Type: | System.String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Id
The unique identifier of a Microsoft Entra ID permission grant condition set object.
Type: | System.String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-PermissionClassification
Specific classification (all, low, medium, high) to scope consent operation down to.
Type: | System.String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Permissions
The identifier of the resource application to scope consent operation down to. It could be @("All") or a list of permission IDs.
Type: | System.Collections.Generic.List`1[System.String] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-PermissionType
Specific type of permissions (application, delegated) to scope consent operation down to.
Type: | System.String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-PolicyId
The unique identifier of a Microsoft Entra ID permission grant policy object.
Type: | System.String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-ResourceApplication
The identifier of the resource application to scope consent operation down to. It could be "Any" or a specific resource application ID.
Type: | System.String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Inputs
String