I had posted about this previously… today I wanted to send a bunch of cmdlets to my colleagues to allow admin consenting of the Sites.Selected
(both Graph API and SharePoint API) permission to a custom role. Here’s the PowerShell code to do that, based on what I posted previously.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 |
Remove-Module AzureAD -ErrorAction SilentlyContinue Import-Module AzureADPreview Connect-AzureAD # Name of the policy $newPolicyId = "mytenant-sharepoint-selected-permissions" # Create the policy New-AzureADMSPermissionGrantPolicy ` -Id $newPolicyId ` -DisplayName "Selected SharePoint permissions" ` -Description "Allows Admin Consent to selected SharePoint" # Get the Graph API SPN $graphSPN = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'" # Get the Id of the Sites.Selected permission of the Graph SPN $permissionId = ($graphSPN | Select-Object -ExpandProperty AppRoles | Where-Object { $_.Value -eq "Sites.Selected" }).Id # Add this permission to the role New-AzureADMSPermissionGrantConditionSet ` -PolicyId $newPolicyId ` -ConditionSetType "includes" ` -PermissionType "application" ` -ResourceApplication $graphSPN.AppId ` -Permissions @($permissionId) # Repeat for SharePoint API $spoSPN = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Office 365 SharePoint Online'" $permissionId = ($spoSPN | Select-Object -ExpandProperty AppRoles | Where-Object { $_.Value -eq "Sites.Selected" }).Id New-AzureADMSPermissionGrantConditionSet ` -PolicyId $newPolicyId ` -ConditionSetType "includes" ` -PermissionType "application" ` -ResourceApplication $spoSPN.AppId ` -Permissions @($permissionId) # Create the custom role $displayName = "Application administrator (SharePoint)" $description = "Can manage more aspects of application registrations." $templateId = (New-Guid).Guid # Set of permissions to grant $allowedResourceAction = @( "microsoft.directory/applications/create", "microsoft.directory/servicePrincipals/allProperties/read", "microsoft.directory/servicePrincipals/create", "microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.$newPolicyId", "microsoft.directory/servicePrincipals/managePermissionGrantsForAll.$newPolicyId" ) $rolePermissions = @{'allowedResourceActions'= $allowedResourceAction} # Create the custom role $customAdmin = New-AzureADMSRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -Description $description -TemplateId $templateId -IsEnabled $true |
Since the previous post I’ve fumbled my way to being more knowledgeable about Azure AD so there’s some minor differences in the code to what I posted then. Less hard-coding of ids etc. That post still has all the background info on what I am doing above so be sure to read that if the above makes no sense.