Page Comparison

# Install Microsoft Graph Powershell toolkit
Install-Module Microsoft.Graph -Scope CurrentUser

# The app for which consent is being granted. In this example, we're granting access
# to the Microsoft Teams GraphJira Explorerfeature, anuse applicationone publishedof bythe Microsoft.following:
$clientAppId = "8c32a034-6431-465a-81fa-74823a7d4226" # Microsoft Graph Explorer

# The permissions to grant. Here we're including # -----------------------------------------------------------------
# Email               e7185a25-9df9-4d05-b779-76b04bf46424
# Meetings            e7185a25-9df9-4d05-b779-76b04bf46424
# Calendar            e7185a25-9df9-4d05-b779-76b04bf46424
# To Do               32d752a1-8945-4600-97c9-73ed32c3627a
# Teams               89d5ca9f-d63b-4885-bd30-6e7433c1540c
# Teams JSM portal    a47ed889-74d6-4acf-b5c8-b1172696eb70
$clientAppId = "89d5ca9f-d63b-4885-bd30-6e7433c1540c" # Teams

# The permissions to grant. Here we're including "openid", "profile", "User.Read"
# and "offline_access", "email" (for basic sign-in), as well as feature specific scopes
# Email               @("openid", "profile", "offline_access", "User.Read", "email", "Mail.ReadWrite.Shared", "Mail.Send.Shared", "People.Read", "User.ReadBasic.All")
# Meetings            @("openid", "profile", "offline_access", "User.Read", "email", "Calendars.ReadWrite.Shared", "OnlineMeetings.ReadWrite", "User.ReadBasic.All")
# Calendar            @("openid", "profile", "offline_access", "User.Read", "email", "Calendars.ReadWrite", "Calendars.ReadWrite.Shared", "OnlineMeetings.ReadWrite", "People.Read", "User.ReadBasic.All", "Place.Read.All", "Group.ReadWrite.All", "Team.ReadBasic.All")
# To Do               @("openid", "profile", "offline_access", "User.Read", "email", "Tasks.Read", "Tasks.ReadWrite", "Tasks.ReadWrite.Shared")
# Teams               @("openid", "profile", "offline_access", "User.Read", "email", "Channel.ReadBasic.All", "ChannelMessage.Send", "Chat.ReadWrite", "Team.ReadBasic.All", "User.ReadBasic.All")
# Teams JSM portal    @("openid", "profile", "User.Read"
# and "offline_access" (for basic sign-in), as well as "User.ReadBasic.AllRead" (for 
# reading other users' basic profile)., "email")

# For Teams
$permissions =  @("openid", "profile", "offline_access", "User.Read", "email", "TeamsAppInstallation.ReadWriteSelfForChatChannel.ReadBasic.All", "ChannelMessage.Send", "Chat.ReadWrite", "Team.ReadBasic.All", "User.ReadBasic.All")

# Step 0. Connect to Microsoft Graph PowerShell. We need User.ReadBasic.All to get
#    users' IDs, Application.ReadWrite.All to list and create service principals, 
#    DelegatedPermissionGrant.ReadWrite.All to create delegated permission grants, 
#    and AppRoleAssignment.ReadWrite.All to assign an app role.
#    Group.Read.All is necessary if you want to use users from a security group
Connect-MgGraph -Scopes ("User.ReadBasic.All Application.ReadWrite.All " `
                        + "DelegatedPermissionGrant.ReadWrite.All " `
                        + "AppRoleAssignment.ReadWrite.All " `
                        + "Group.Read.All")

# Step 1. Check if a service principal exists for the client application. 
#     If one does not exist, create it.
$clientSp = Get-MgServicePrincipal -Filter "appId eq '$($clientAppId)'"
if (-not $clientSp) {
   $clientSp = New-MgServicePrincipal -AppId $clientAppId
}

Write-Host "Service principal for $($clientAppId) is $($clientSp.Id)"

# Step 2. Define users that should have the app consented
#         Either use a single, hard coded user (upn or GUID)
$userIds = @(Get-MgUser -UserId "miriamg@yasoondemosomeuser@contoso.onmicrosoft.com")

#         Or assign app based on a security group
# $userIds = Get-MgGroupMember -GroupId '<groupGuid>' -All | % {$_.Id } 


# Loop over selected users
foreach ($userId in $userIds)
{
    # Step 3. Create a delegated permission that grants the client app access to the
    #     API, on behalf of the user. If the existing grant already exist, skip creating it
    #     Note: In case of changed scopes, this is not updated automatically yet
    $existingGrant = Get-MgOauth2PermissionGrant -Filter "consentType eq 'Principal' and principalId eq $($userId) and clientId eq '$($clientSp.Id)'" 

    if (-not $existingGrant) {
        $resourceSp = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"
        $scopeToGrant = $permissions -join " "
        New-MgOauth2PermissionGrant -ResourceId $resourceSp.Id `
                                            -Scope $scopeToGrant `
                                            -ClientId $clientSp.Id `
                                            -ConsentType "Principal" `
                                            -PrincipalId $userId
        
        # Step 4. Assign the app to the user. This ensures that the user can sign in if assignment
        #     is required, and ensures that the app shows up under the user's My Apps.
            # The app role ID 00000000-0000-0000-0000-000000000000 is the default app role
            # indicating that the app is assigned to the user, but not for any specific 
            # app role.
        New-MgServicePrincipalAppRoleAssignedTo `
                -ServicePrincipalId $clientSp.Id `
                -ResourceId $clientSp.Id `
                -PrincipalId $userId `
                -AppRoleId "00000000-0000-0000-0000-000000000000"
    }
}