Set-EntraPermissionGrantConditionSet

Module:

Microsoft.Entra

Update an existing Microsoft Entra ID permission grant condition set.

Syntax

Set-EntraPermissionGrantConditionSet
   -ConditionSetType <String>
   -Id <String>
   -PolicyId <String>
   [-Permissions <System.Collections.Generic.List`1[System.String]>]
   [-ClientApplicationTenantIds <System.Collections.Generic.List`1[System.String]>]
   [-ClientApplicationIds <System.Collections.Generic.List`1[System.String]>]
   [-ResourceApplication <String>]
   [-PermissionType <String>]
   [-PermissionClassification <String>]
   [-ClientApplicationsFromVerifiedPublisherOnly <Boolean>]
   [-ClientApplicationPublisherIds <System.Collections.Generic.List`1[System.String]>]
   [<CommonParameters>]

Description

Updates a Microsoft Entra ID permission grant condition set object identified by Id.

Examples

Example 1: Update a permission grant condition set to includes permissions that is classified as low

Connect-Entra -Scopes 'Policy.ReadWrite.PermissionGrant'
$permissionGrantPolicy = Get-EntraPermissionGrantPolicy | Where-Object { $_.Id -eq 'my-custom-consent-policy' }
$conditionSet = Get-EntraPermissionGrantConditionSet -PolicyId $permissionGrantPolicy.Id -ConditionSetType 'includes' | Where-Object { $_.PermissionType -eq 'delegated' }
Set-EntraPermissionGrantConditionSet -PolicyId $permissionGrantPolicy -ConditionSetType 'includes' -Id $conditionSet.Id -PermissionClassification 'low'

This command updates sets the specified permission grant set to classify as low.

• -PolicyId parameter specifies the unique identifier of a permission grant policy.
• -ConditionSetType parameter indicates whether the condition sets are included in the policy or excluded.
• -Id parameter specifies the unique identifier of a permission grant condition set object.
• -PermissionClassification parameter specifies the specific classification (all, low, medium, high) to scope consent operation down to.

Example 2: Update a permission grant condition set

Connect-Entra -Scopes 'Policy.ReadWrite.PermissionGrant'
$permissionGrantPolicy = Get-EntraPermissionGrantPolicy | Where-Object { $_.Id -eq 'my-custom-consent-policy' }
$conditionSet = Get-EntraPermissionGrantConditionSet -PolicyId $permissionGrantPolicy.Id -ConditionSetType 'includes' | Where-Object { $_.PermissionType -eq 'delegated' }
$params = @{
    PolicyId                                    = $permissionGrantPolicy.Id
    ConditionSetType                            = 'includes'
    Id                                          = $conditionSet.Id
    PermissionType                              = 'delegated'
    PermissionClassification                    = 'low'
    ResourceApplication                         = 'a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1'
    Permissions                                 = @('All')
    ClientApplicationIds                        = @('All')
    ClientApplicationTenantIds                  = @('All')
    ClientApplicationPublisherIds               = @('All')
    ClientApplicationsFromVerifiedPublisherOnly = $true
}

Set-EntraPermissionGrantConditionSet @params

This command updates sets the specified permission grant set.

• -PolicyId parameter specifies the unique identifier of a permission grant policy.
• -ConditionSetType parameter indicates whether the condition sets are included in the policy or excluded.
• -Id parameter specifies the unique identifier of a permission grant condition set object.
• -PermissionType parameter specifies the type of permissions (application, delegated) to scope consent operation down to.
• -PermissionClassification parameter specifies the specific classification (all, low, medium, high) to scope consent operation down to.
• -ResourceApplication parameter specifies identifier of the resource application to scope consent operation down to. It could be "Any" or a specific resource application ID.
• -Permissions parameter specifies the identifier of the resource application to scope consent operation down to. It could be @("All") or a list of permission IDs.
• -ClientApplicationIds parameter specifies the set of client application IDs to scope consent operation down to. It could be @("All") or a list of client application IDs.
• -ClientApplicationTenantIds parameter specifies the set of client applications publisher IDs to scope consent operation down to. It could be @("All") or a list of client application publisher IDs.
• -ClientApplicationPublisherIds parameter specifies the set of client applications publisher IDs to scope consent operation down to. It could be @("All") or a list of client application publisher IDs.
• -ClientApplicationsFromVerifiedPublisherOnly parameter indicates whether to only includes client applications from verified publishers.

Parameters

-ClientApplicationIds

The set of client application IDs to scope consent operation down to. It could be @("All") or a list of client application IDs.

Type:	System.Collections.Generic.List`1[System.String]
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-ClientApplicationPublisherIds

The set of client applications publisher IDs to scope consent operation down to. It could be @("All") or a list of client application publisher IDs.

Type:	System.Collections.Generic.List`1[System.String]
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-ClientApplicationsFromVerifiedPublisherOnly

A value indicates whether to only includes client applications from verified publishers.

Type:	System.Boolean
Position:	Named
Default value:	False
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-ClientApplicationTenantIds

The set of client application tenant IDs to scope consent operation down to. It could be @("All") or a list of client application tenant IDs.

Type:	System.Collections.Generic.List`1[System.String]
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-ConditionSetType

The value indicates whether the condition sets are included in the policy or excluded.

Type:	System.String
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	True
Accept wildcard characters:	False

-Id

The unique identifier of a Microsoft Entra ID permission grant condition set object.

Type:	System.String
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	True
Accept wildcard characters:	False

-PermissionClassification

Specific classification (all, low, medium, high) to scope consent operation down to.

Type:	System.String
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-Permissions

The identifier of the resource application to scope consent operation down to. It could be @("All") or a list of permission IDs.

Type:	System.Collections.Generic.List`1[System.String]
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-PermissionType

Specific type of permissions (application, delegated) to scope consent operation down to.

Type:	System.String
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

-PolicyId

The unique identifier of a Microsoft Entra ID permission grant policy object.

Type:	System.String
Position:	Named
Default value:	None
Required:	True
Accept pipeline input:	True
Accept wildcard characters:	False

-ResourceApplication

The identifier of the resource application to scope consent operation down to. It could be "Any" or a specific resource application ID.

Type:	System.String
Position:	Named
Default value:	None
Required:	False
Accept pipeline input:	False
Accept wildcard characters:	False

Inputs

String

Related Links

• New-EntraPermissionGrantConditionSet
• Get-EntraPermissionGrantConditionSet
• Remove-EntraPermissionGrantConditionSet