...
Code Block | ||
---|---|---|
| ||
# Install Microsoft Graph Powershell toolkit Install-Module Microsoft.Graph -Scope CurrentUser # The app for which consent is being granted. In this example, we're granting access # to the Microsoft Teams Jira feature, use one of the following: # ----------------------------------------------------------------- # Email e7185a25-9df9-4d05-b779-76b04bf46424 # Meetings e7185a25-9df9-4d05-b779-76b04bf46424 # Calendar e7185a25-9df9-4d05-b779-76b04bf46424 # To Do 32d752a1-8945-4600-97c9-73ed32c3627a # Teams 89d5ca9f-d63b-4885-bd30-6e7433c1540c # Teams JSM portal a47ed889-74d6-4acf-b5c8-b1172696eb70 $clientAppId = "89d5ca9f-d63b-4885-bd30-6e7433c1540c" # Teams # The permissions to grant. Here we're including "openid", "profile", "User.Read" # and "offline_access", "email" (for basic sign-in), as well as feature specific scopes # Email @("openid", "profile", "offline_access", "User.Read", "email", "Mail.ReadWrite.Shared", "Mail.Send.Shared", "People.Read", "User.ReadBasic.All") # Meetings @("openid", "profile", "offline_access", "User.Read", "email", "Calendars.ReadWrite.Shared", "OnlineMeetings.ReadWrite", "User.ReadBasic.All") # Calendar @("openid", "profile", "offline_access", "User.Read", "email", "Calendars.ReadWrite", "Calendars.ReadWrite.Shared", "OnlineMeetings.ReadWrite", "People.Read", "User.ReadBasic.All", "Place.Read.All", "Group.ReadWrite.All", "Team.ReadBasic.All") # To Do @("openid", "profile", "offline_access", "User.Read", "email", "Tasks.Read", "Tasks.ReadWrite", "Tasks.ReadWrite.Shared") # Teams @("openid", "profile", "offline_access", "User.Read", "email", "Channel.ReadBasic.All", "ChannelMessage.Send", "Chat.ReadWrite", "Team.ReadBasic.All", "User.ReadBasic.All") # Teams JSM portal @("openid", "profile", "offline_access", "User.Read", "email") # For Teams $permissions = @("openid", "profile", "offline_access", "User.Read", "email", "Channel.ReadBasic.All", "ChannelMessage.Send", "Chat.ReadWrite", "Team.ReadBasic.All", "User.ReadBasic.All") # Step 0. Connect to Microsoft Graph PowerShell. We need User.ReadBasic.All to get # users' IDs, Application.ReadWrite.All to list and create service principals, # DelegatedPermissionGrant.ReadWrite.All to create delegated permission grants, # and AppRoleAssignment.ReadWrite.All to assign an app role. # Group.Read.All is necessary if you want to use users from a security group Connect-MgGraph -Scopes ("User.ReadBasic.All Application.ReadWrite.All " ` + "DelegatedPermissionGrant.ReadWrite.All " ` + "AppRoleAssignment.ReadWrite.All " ` + "Group.Read.All") # Step 1. Check if a service principal exists for the client application. # If one does not exist, create it. $clientSp = Get-MgServicePrincipal -Filter "appId eq '$($clientAppId)'" if (-not $clientSp) { $clientSp = New-MgServicePrincipal -AppId $clientAppId } Write-Host "Service principal for $($clientAppId) is $($clientSp.Id)" # Step 2. Define users that should have the app consented # Either use a single, hard coded user (upn or GUID) $userIds = @((Get-MgUser -UserId "someuser@contoso.com").Id) # Or assign app based on a security group # $userIds = Get-MgGroupMember -GroupId '<groupGuid>' -All | % {$_.Id } # Loop over selected users foreach ($userId in $userIds) { # Step 3. Create a delegated permission that grants the client app access to the # API, on behalf of the user. If the existing grant already exist, skip creating it # Note: In case of changed scopes, this is not updated automatically yet $existingGrant = Get-MgOauth2PermissionGrant -Filter "consentType eq 'Principal' and principalId eq '$($userId)' and clientId eq '$($clientSp.Id)'" if (-not $existingGrant) { $resourceSp = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'" $scopeToGrant = $permissions -join " " New-MgOauth2PermissionGrant -ResourceId $resourceSp.Id ` -Scope $scopeToGrant ` -ClientId $clientSp.Id ` -ConsentType "Principal" ` -PrincipalId $userId # Step 4. Assign the app to the user. This ensures that the user can sign in if assignment # is required, and ensures that the app shows up under the user's My Apps. # The app role ID 00000000-0000-0000-0000-000000000000 is the default app role # indicating that the app is assigned to the user, but not for any specific # app role. New-MgServicePrincipalAppRoleAssignedTo ` -ServicePrincipalId $clientSp.Id ` -ResourceId $clientSp.Id ` -PrincipalId $userId ` -AppRoleId "00000000-0000-0000-0000-000000000000" } } |
...