This is a continuation of an older post and an example.
This and this posts from Microsoft are useful references too.
I want to delegate the ability to do admin consents to certain Graph permissions to some of my admins. In this case the “Sites.Selected” Graph API permission which typically needs a Global Admin to do the consent. To do this I have to create a custom app consent policy and a custom role that includes this app consent policy.
First, connect to Graph with the following scopes.
|
1 |
Connect-MgGraph -Scopes "Policy.Read.PermissionGrant","Policy.ReadWrite.PermissionGrant","RoleManagement.ReadWrite.Directory" |
Get the Microsoft Graph service principal.
|
1 |
$servicePrincipal = Get-MgServicePrincipal -All | Where-Object { $_.DisplayName -eq "Microsoft Graph" } |
For reference, here’s an example of the output:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
> Get-MgServicePrincipal -All | Where-Object { $_.DisplayName -match "Graph" } DisplayName Id AppId SignInAudience ServicePrincipalType ----------- -- ----- -------------- -------------------- IDML Graph Resolver Service and CAD 2362f192-9721-4089-b2c9-6acf3e9ce553 d88a361a-d488-4271-a13f-a83df7dd99c2 AzureADMultipleOrgs Application Graph Data Connect App Registration 2a911a15-76e9-4e98-a1ee-f9f45bd6eba2 52e6d66a-9b02-477b-ad84-01c7d088f081 AzureADMyOrg Application Exchange Office Graph Client for AAD - Noninteractive 2f4d6758-e00b-4037-a933-8b5224f00489 765fe668-04e7-42ba-aec0-2c96f1d8b652 AzureADMultipleOrgs Application Microsoft Graph 327ba63b-334e-4004-bb30-20a607de4098 00000003-0000-0000-c000-000000000000 AzureADMultipleOrgs Application Azure Graph 40a924a5-b3b2-45d3-b466-cc5b2cbf9884 dbcbd02a-d7c4-42fb-8c27-b07e5118b848 AzureADMultipleOrgs Application Exchange Office Graph Client for AAD - Interactive 57943d81-ce4c-4a80-ae3f-56ce03c6a8fd 6da466b6-1d13-4a2c-97bd-51a99e8d4d74 AzureADMultipleOrgs Application Audit GraphAPI Application 68420e79-2754-4dbd-9819-7049a2820601 4bfd5d66-9285-44a1-bb14-14953e8cdf5e AzureADMultipleOrgs Application Microsoft Graph PowerShell 70a6c76d-5c6b-41ca-bb81-56d6f0360ec0 14d82eec-204b-4c2f-b7e8-296a70dab67e AzureADandPersonal… Application Microsoft Graph Change Tracking 895b3d4b-d0b6-4102-8e01-d19ad243a7df 0bf30f3b-4a52-48df-9a82-234910c4a086 AzureADMultipleOrgs Application Microsoft Teams Graph Service 9479fa7c-c94a-4c73-8599-92b762ac0029 ab3be6b7-f5df-413d-ac2d-abf1e3fd9c0b AzureADMultipleOrgs Application OfficeGraph 9b00ad24-77e1-4d53-be39-19e1bf08aa0d ba23cd2a-306c-48f2-9d62-d3ecd372dfe4 AzureADMultipleOrgs Application Azure Resource Graph adaf502e-f36c-4163-af9d-46ecf592d482 509e4652-da8d-478d-a730-e9d4a1996ca4 AzureADMultipleOrgs Application Graph Connector Service bea6ee98-3321-47f5-aff4-4f4844c68c35 56c1da01-2129-48f7-9355-af6d59d42766 AzureADMultipleOrgs Application Microsoft Graph Connectors Core ec34f212-7d53-4c21-b153-c623b96877e6 f8f7a2aa-e116-4ba6-8aea-ca162cfa310d AzureADMultipleOrgs Application |
I selected the Microsoft Graph one from above.
Get the permission Id of the “Sites.Selected” permission within this.
|
1 |
$permissionId = ((Get-MgServicePrincipal -ServicePrincipalId $servicePrincipal.Id).AppRoles | Where-Object { $_.Value -eq "Sites.Selected" }).Id |
Here’s an example of what the permission looks like:
|
1 2 3 4 5 6 7 8 9 10 11 |
> (Get-MgServicePrincipal -ServicePrincipalId $servicePrincipal.Id).AppRoles | Where-Object { $_.Value -eq "Sites.Selected" } AllowedMemberTypes : {Application} Description : Allow the application to access a subset of site collections without a signed in user.The specific site collections and the permissions granted will be configured in SharePoint Online. DisplayName : Access selected site collections Id : 883ea226-0bf2-4a8f-9f9d-92c9162a727d IsEnabled : True Origin : Application Value : Sites.Selected AdditionalProperties : {} |
Now create a new app consent policy and add the “Sites.Selected” permission within it.
|
1 2 3 4 5 6 7 8 9 10 |
New-MgPolicyPermissionGrantPolicy ` -Id "mytenant-graph-sites-selected" ` -Description "Permissions consentable by Application administrator (Sites)" ` -DisplayName "Only sites.selected permission" New-MgPolicyPermissionGrantPolicyInclude ` -PermissionGrantPolicyId "mytenant-graph-sites-selected" ` -PermissionType "application" ` -ResourceApplication $servicePrincipal.AppId ` -Permissions $permissionId |
Here’s what the policy looks like:
|
1 2 3 4 5 6 7 8 9 10 11 |
> Get-MgPolicyPermissionGrantPolicy -PermissionGrantPolicyId 'mytenant-graph-sites-selected' | fl * DeletedDateTime : Description : Permissions consentable by Application administrator (Sites) DisplayName : Only sites.selected permission Excludes : {} Id : mytenant-graph-sites-selected Includes : {f934e25e-6b38-4045-b690-8e2ba42c2915} AdditionalProperties : {[@odata.context, https://graph.microsoft.com/v1.0/$metadata#policies/permissionGrantPolicies/$entity], [includes@odata.context, https://graph.microsoft.com/v1.0/$metadata#policies/permissionGrantPolicies('mytenant-graph-sites-selected')/includes], [excludes@odata.context, https://graph.microsoft.com/v1.0/$metadata#policies/permissionGrantPolicies('mytenant-graph-sites-selected')/excludes]} |
Now to create a custom role that includes this app consent policy.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
$params = @{ description = "Can manage selected SharePoint app registrations permissions" displayName = "Application administrator (SharePoint)" rolePermissions = @( @{ allowedResourceActions = @( "microsoft.directory/applications/basic/read", "microsoft.directory/applications/createAsOwner", "microsoft.directory/servicePrincipals/allProperties/read", "microsoft.directory/applications.myOrganization/allProperties/read", "microsoft.directory/applications.myOrganization/allProperties/update", "microsoft.directory/servicePrincipals/create", "microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.mytenant-graph-sites-selected", "microsoft.directory/servicePrincipals/managePermissionGrantsForAll.mytenant-graph-sites-selected" ) } ) isEnabled = $true } New-MgRoleManagementDirectoryRoleDefinition -BodyParameter $params |
I had to make some tweaks here compared to when I first did this in 2021. Specifically, I added these two:
|
1 2 |
"microsoft.directory/applications.myOrganization/allProperties/read", "microsoft.directory/applications.myOrganization/allProperties/update", |
Just the update one would have been enough, I think. I came across this list from Microsoft’s app registrations permissions page. This other page with permissions for app consent is where I across the last two permissions.
|
1 2 |
"microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.mytenant-graph-sites-selected", "microsoft.directory/servicePrincipals/managePermissionGrantsForAll.mytenant-graph-sites-selected" |
This is what allows the Delegated and Application permissions to be consented, for “Sites.Selected”.
Now grant this to an admin from the portal.
Now Adele can login to the portal, create an app registration, add the “Sites.Selected” permission, remove the “User.Read” permission (coz that is not something we allowed in the list above), and do an admin consent (I had to refresh the page after adding the permission, for the “Grant admin consent” button to show).
