We've recently added entra app permission add for working with permissions of app registrations.
We also have:
- aad approleassignment add but that only adds app-only permissions to service principals, not to App Registrations.
- aad oauth2grant add but that only adds delegated permissions to service principals, not to App Registrations.
This issue is for adding the same functionality to service principals in a more consistent way, that can in some time replace the oauthgrant and approleassignment commands.
We're also implementing a rename of entra serviceprincipal verb, which is why we're adding this in the correct command group right from the start.
Usage
m365 entra enterpriseapp permission add [options]
Description
Adds the specified application and/or delegated permissions to a specified Entra enterprise application
Options
| Option |
Description |
-i, --appId [appId] |
Client ID of the Entra enterprise app to add the API permissions to. Specify either appId, appName or appObjectId. |
--appObjectId [appObjectId] |
Object ID of the Entra enterprise app to add the API permissions to. Specify either appId, appName or appObjectId. |
-n, --appName [appName] |
Display name of the Entra enterprise app to add the API permissions to. Specify either appId, appName or appObjectId. |
-a, --applicationPermissions [applicationPermissions] |
Space-separated list of application permissions to add. Specify at least applicationPermissions or delegatedPermissions. |
-d, --delegatedPermissions [delegatedPermissions] |
Space-separated list of delegated permissions to add. Specify at least applicationPermissions or delegatedPermissions. |
Remarks
Scopes/Roles to grant must be fully-qualified so that we can disambiguate them between the different resources.
Examples
Grant multiple delegated API permissions to an Entra enterprise application
m365 entra enterpriseapp permission add --appId 'f1417aa3-bf0b-4cc5-a845-a0b2cf11f690' --delegatedPermissions 'https://management.azure.com/user_impersonation https://service.flow.microsoft.com/Flows.Read.All https://graph.microsoft.com/Agreement.Read.All'
Grant multiple app-only permissions to an Entra enterprise application
m365 entra enterpriseapp permission add --appId 'f1417aa3-bf0b-4cc5-a845-a0b2cf11f690' --applicationPermissions 'https://graph.microsoft.com/Sites.FullControl.All https://microsoft.sharepoint-df.com/Sites.FullControl.All'
Additional information
If multiple apps with the same name exist, the CLI should show a disambiguation prompt to let the user choose.
We've recently added entra app permission add for working with permissions of app registrations.
We also have:
This issue is for adding the same functionality to service principals in a more consistent way, that can in some time replace the oauthgrant and approleassignment commands.
Usage
m365 entra enterpriseapp permission add [options]
Description
Adds the specified application and/or delegated permissions to a specified Entra enterprise application
Options
-i, --appId [appId]appId,appNameorappObjectId.--appObjectId [appObjectId]appId,appNameorappObjectId.-n, --appName [appName]appId,appNameorappObjectId.-a, --applicationPermissions [applicationPermissions]applicationPermissionsordelegatedPermissions.-d, --delegatedPermissions [delegatedPermissions]applicationPermissionsordelegatedPermissions.Remarks
Scopes/Roles to grant must be fully-qualified so that we can disambiguate them between the different resources.
Examples
Grant multiple delegated API permissions to an Entra enterprise application
Grant multiple app-only permissions to an Entra enterprise application
Additional information
If multiple apps with the same name exist, the CLI should show a disambiguation prompt to let the user choose.