Delegating App Registration Admin Consent permissions in Azure AD (using Graph cmdlets)

A companion post to my previous one. This time using Graph API (or rather the PowerShell Graph cmdlets) rather than PowerShell Azure AD. Get on with the times, Rakhesh. :)

Getting Started

First off connect to your tenant with your admin account:

By going through the cmdlets reference of this module I found the cmdlet that will let me view existing permission policies: Get-MgPolicyPermissionGrantPolicy. Running this gives the following erorr though:

The first time you connect via Connect-MgGraphit creates a service principal in your tenant called Microsoft Graph PowerShell (this is under Enterprise Applications). You will see this only has permissions to sign in a user so that’s why we are getting the above error. Here’s a screenshot of the default permissions just after I consent:

I’ll have to add additional permissions for the above cmdlet (and others) to work. How do I figure that out?

Googling on the term “graph permission grant policy” brings us to the Graph API reference page for this. If I want to list policies I need the following:

So let’s get these added to the Service Principal. I’ll add the ReadWrite one too as I want to make new ones later after all:

Here’s the consent page that you are shown (notice the consent related permissions):

I am doing an org wide consent but you don’t have to. And of course, if your admin account doesn’t have the rights to do these consents you’ll have to get someone who has these rights to do it. Usually a Global Admin or a Privileged Role Admin.

Now the cmdlet works:

Notice my previously created custom policies are visible.

Creating a new app consent policy

Let’s make a new policy that allows specific permissions on the Exchange Online API (not Graph API as before). So, similar steps as before but now with Graph cmdlets.

First I want to find the Service Principal of the Exchange Online API. I know what it’s called from the Portal:

But here’s how I can find it via Graph:

So it’s the one with AppId 00000002-0000-0ff1-ce00-000000000000 and Id fc68b031-70e8-4ce5-96a8-b3756967fece. Let’s find its AppRoles as that’s what we need for application permissions:

I need additional fields:

The permission I am interested in is full_access_as_app. Its Id is dc890d15-9560-4a4c-9b7f-a736ec74ec40. Let’s create the app consent policy:

Then include the grants in it (there’s separate cmdlets for include and exclude):

Cool, so that’s done.

Creating the custom role

Now let’s create the custom role to add this to. To keep it simple I am going to make a new one rather than modify an existing one. To create roles I need the following permission added to my Graph consents: RoleManagement.ReadWrite.Directory

I then took a long time figuring out the cmdlet to create custom roles, as it was not very intuitive.

I know the Graph API request to do this but I couldn’t figure out the cmdlet name from the request. There is a New-MgDirectoryRole cmdlet that looked it might be the one, but it wasn’t. Finally I switched to the Beta profile as I noticed the Graph API request was to the Beta API and then looked around and by trial and error found New-MgRoleManagementDirectoryRoleDefinition. Here’s how I then created the custom role with the above permissions:

Added my user to this custom role, and boom she’s able to grant admin consents:

She cannot, however, do it for any other Exchange Online permissions:

Nice!

Update: Also see this post.