Usage
add approleassignment add [options]
Description
Adds service principal permissions also known as scopes and app role assignments for specified Azure AD application registration
Options
| Option |
Description |
--appId [appId] |
Application appId also known as clientId of the App Registration on which the configured scopes (app roles) should be applied |
--objectId [objectId] |
Application objectId of the App Registration on which the configured scopes (app roles) should be applied |
--displayName [displayName] |
Application name of the App Registration on which the configured scopes (app roles) should be applied |
--resource <resource> |
Service principal name, appId or objectId that has the scopes (roles) ex. SharePoint. Autocomplete values 'Microsoft Graph', 'SharePoint', 'OneNote', 'Exchange', 'Microsoft Forms', 'Azure Active Directory Graph', 'Skype for Business' |
-s, --scope <scope> |
Permissions known also as scopes and roles to grant the application with. If multiple permissions have to be granted, they have to be comma separated ex. 'Sites.Read.All,Sites.ReadWrite.all' |
-o, --output [output] |
Output type. json,text. Default text |
--verbose |
Runs command with verbose logging |
--debug |
Runs command with debug logging |
Note: Autocomplete values for the resourceName option do not mean allowed values. The autocomplete will just suggest some known names, but that would not restrict the users to use name of their own custom application or other application within their tenant if they will.
Note: I use resourceName and scope as options names to follow the same pattern used in the oauth2grant add. We can perhaps use servicePrincipal instead of resourceId and appRoles instead of scope, but this would probably not make the terms less confusing for the users since Microsoft always has 5 different terms that have similar meaning.
Note: This command can also be used to assign permissions to system or user-assigned managed identity.
Examples
Adds SharePoint Sites.Read.All application permissions to Azure AD application with app id 57907bf8-73fa-43a6-89a5-1f603e29e451
o365 aad approleassignment add --appId "57907bf8-73fa-43a6-89a5-1f603e29e451" --resourceName "SharePoint" --scope "Sites.Read.All"
Adds multiple Microsoft Graph application permissions to an Azure AD application with name MyAppName
o365 aad approleassignment add --displayName "MyAppName" --resourceName "Microsoft Graph" --scope "Mail.Read,Mail.Send"
Adds Microsoft Graph Mail.Read application permissions to an system managed identity app with objectId 57907bf8-73fa-43a6-89a5-1f603e29e451
o365 aad approleassignment add --objectId "57907bf8-73fa-43a6-89a5-1f603e29e451" --resourceName "Microsoft Graph" --scope "Mail.Read"
Links
https://docs.microsoft.com/en-us/graph/permissions-reference
Reference of Microsoft Applications (from the Azure Portal) that have app permissions available
Microsoft Graph
Azure Rights Management Services
Dynamics 365 Business Central
Microsoft Intune API (Intune)
Office 365 Management APIs
Power BI Service
Office 365 SharePoint Online (SharePoint)
Skype for Business
Azure Import/Export
Dynamics ERP
OneNote
Universal Print
Azure Active Directory Graph
Office 365 Exchange Online (Exchange)
Microsoft Exchange Online Protection
Skype and Teams Tenant Admin API
Microsoft Information Protection Sync Service
Office 365 Information Protection
Compute Recommendation Service
DeploymentScheduler
StreamToSubstrateRepl
Microsoft Forms
Microsoft Invoicing
Signup
Azure AD Identity Governance Insights
Application Insights API
Microsoft Teams Retail Service
M365DataAtRestEncryption
Skype Presence Service
Sway
Microsoft Teams Chat Aggregator
ProjectWorkManagement
Microsoft Stream Service
Microsoft Teams Services
Microsoft Teams UIS
Cortana at Work Bing Services
Microsoft Teams Graph Service
Cortana Runtime Service
Cortana at Work Service
Log Analytics API
Office 365 Enterprise Insights
Microsoft Teams ADL
Microsoft Service Trust
Microsoft Information Protection API
Microsoft Threat Protection
WindowsDefenderATP
IC3 Long Running Operations Service
Graph Connector Service
Windows Store for Business
Note: Some of them have alias name in brackets. This is how they are displayed in the Azure portal. So in the portal they are seen as:
but the actual name of the app is
@waldekmastykarz , @garrytrinder , @appieschot please comment on this , so we can finalize it and I can make it happen.
Usage
add approleassignment add [options]Description
Adds service principal permissions also known as scopes and app role assignments for specified Azure AD application registration
Options
--appId [appId]--objectId [objectId]--displayName [displayName]--resource <resource>-s, --scope <scope>-o, --output [output]json,text. Defaulttext--verbose--debugNote: Autocomplete values for the
resourceNameoption do not meanallowed values. The autocomplete will just suggest some known names, but that would not restrict the users to use name of their own custom application or other application within their tenant if they will.Note: I use resourceName and scope as options names to follow the same pattern used in the
oauth2grant add. We can perhaps useservicePrincipalinstead ofresourceIdandappRolesinstead ofscope, but this would probably not make the terms less confusing for the users since Microsoft always has 5 different terms that have similar meaning.Note: This command can also be used to assign permissions to system or user-assigned managed identity.
Examples
Adds SharePoint
Sites.Read.Allapplication permissions to Azure AD application with app id 57907bf8-73fa-43a6-89a5-1f603e29e451Adds multiple Microsoft Graph application permissions to an Azure AD application with name MyAppName
Adds Microsoft Graph
Mail.Readapplication permissions to an system managed identity app with objectId 57907bf8-73fa-43a6-89a5-1f603e29e451Links
https://docs.microsoft.com/en-us/graph/permissions-reference
Reference of Microsoft Applications (from the Azure Portal) that have app permissions available
Microsoft Graph
Azure Rights Management Services
Dynamics 365 Business Central
Microsoft Intune API (Intune)
Office 365 Management APIs
Power BI Service
Office 365 SharePoint Online (SharePoint)
Skype for Business
Azure Import/Export
Dynamics ERP
OneNote
Universal Print
Azure Active Directory Graph
Office 365 Exchange Online (Exchange)
Microsoft Exchange Online Protection
Skype and Teams Tenant Admin API
Microsoft Information Protection Sync Service
Office 365 Information Protection
Compute Recommendation Service
DeploymentScheduler
StreamToSubstrateRepl
Microsoft Forms
Microsoft Invoicing
Signup
Azure AD Identity Governance Insights
Application Insights API
Microsoft Teams Retail Service
M365DataAtRestEncryption
Skype Presence Service
Sway
Microsoft Teams Chat Aggregator
ProjectWorkManagement
Microsoft Stream Service
Microsoft Teams Services
Microsoft Teams UIS
Cortana at Work Bing Services
Microsoft Teams Graph Service
Cortana Runtime Service
Cortana at Work Service
Log Analytics API
Office 365 Enterprise Insights
Microsoft Teams ADL
Microsoft Service Trust
Microsoft Information Protection API
Microsoft Threat Protection
WindowsDefenderATP
IC3 Long Running Operations Service
Graph Connector Service
Windows Store for Business
Note: Some of them have alias name in brackets. This is how they are displayed in the Azure portal. So in the portal they are seen as:
but the actual name of the app is
@waldekmastykarz , @garrytrinder , @appieschot please comment on this , so we can finalize it and I can make it happen.