Add-AzADAppPermission

Adds an API permission.

Syntax

Add-AzADAppPermission
   -ApiId <Guid>
   -PermissionId <String>
   -ObjectId <Guid>
   [-Type <String>]
   [-DefaultProfile <PSObject>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
Add-AzADAppPermission
   -ApiId <Guid>
   -PermissionId <String>
   [-Type <String>]
   -ApplicationId <Guid>
   [-DefaultProfile <PSObject>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

Adds an API permission. The list of available permissions of API is property of application represented by service principal in tenant.

For instance, to get available permissions for Graph API:

  • Azure Active Directory Graph: Get-AzAdServicePrincipal -ApplicationId 00001111-aaaa-2222-bbbb-3333cccc4444
  • Microsoft Graph: Get-AzAdServicePrincipal -ApplicationId 00001111-aaaa-2222-bbbb-3333cccc4444

Application permissions under the appRoles property correspond to Role in -Type. Delegated permissions under the oauth2Permissions property correspond to Scope in -Type.

User needs to grant consent via Azure Portal if the permission requires admin consent because Azure PowerShell doesn't support it yet.

Examples

Example 1: Add API Permission

Add-AzADAppPermission -ObjectId 9cc74d5e-1162-4b90-8696-65f3d6a3f7d0 -ApiId 00001111-aaaa-2222-bbbb-3333cccc4444 -PermissionId 5f8c59db-677d-491f-a6b8-5f174b11ec1d

Add delegated permission "Group.Read.All" of Microsoft Graph API to AD Application (9cc74d5e-1162-4b90-8696-65f3d6a3f7d0)

Example 2: Add API Permission

Add-AzADAppPermission -ObjectId 9cc74d5e-1162-4b90-8696-65f3d6a3f7d0 -ApiId 00001111-aaaa-2222-bbbb-3333cccc4444 -PermissionId 1138cb37-bd11-4084-a2b7-9f71582aeddb -Type Role

Add application permission "Device.ReadWrite.All" of Microsoft Graph API to AD Application (9cc74d5e-1162-4b90-8696-65f3d6a3f7d0)

Parameters

-ApiId

The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.

Type:Guid
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-ApplicationId

The application Id.

Type:Guid
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with Azure.

Type:PSObject
Aliases:AzContext, AzureRmContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ObjectId

The unique identifier in Azure AD.

Type:Guid
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-PermissionId

The unique identifier for one of the oauth2PermissionScopes or appRole instances that the resource application exposes.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Type

Specifies whether the id property references an oauth2PermissionScopes(Scope, delegated permission) or an appRole(Role, application permission).

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Outputs

Boolean