Azure-cli: List of Graph API permission

@jiasli please take a look.

@gregdegruy https://blogs.msdn.microsoft.com/aaddevsup/2018/06/06/guid-table-for-windows-azure-active-directory-permissions/

311a71cc-e848-46a1-bdf8-97ff7156d8e6 - (Scope) Sign in and read user profile

Thanks @g-rad, the link helps a lot! 😃

@jiasli This issue is closed, but there is nothing in the documentation that would have let me find that GUID table blog post. I had Googled "az cli api permissions guids" but that didn't find it either. Luckily that search led me to this repo and I saw this issue.

I think that table should really be in the official documentation and discoverable from the docs for " az ad app permission add".

Posting this here since Bing brought me here through searching.

SO answer includes az command to pull the Microsoft Graph API permissions listing: https://stackoverflow.com/questions/41946417/how-can-i-get-the-guids-of-graph-api-permissions-programmatically-for-an-azure-a/63405409#63405409

Command reference (in case you can't hit SO):

az ad sp show --id 00000003-0000-0000-c000-000000000000

Could not find this available data via Microsoft.Graph module.

Note that 00000003-0000-0000-c000-000000000000 is the Resource App ID for Microsoft Graph API.

Hi @wsmelton, thank you for the link.

Could you share more context about

Could not find this available data via Microsoft.Graph module.

Do you mean the Microsoft.Graph PowerShell module?

Correct. I had assumed that would be the module to use but did find AzureAD has it as well, just have to pull the Service ID for Microsoft Graph.

$msGraphService = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
$permissions = $msGraphService.AppRoles.Where({$_.Value -in $appPerms})

You can get the Oauth2Permissions from that same object using $msGraphService.Oauth2Permissions.

Get-AzureADServicePrincipal

Get-AzureADServicePrincipal from AzureAD module calls Active Directory Graph internally.

In Windows PowerShell,

Install-Module AzureAD
Connect-AzureAD -TenantId 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a
$msGraphService = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
ConvertTo-Json $msGraphService

We can see

• Application permissions appear under AppRoles
• Delegated permissions appear under Oauth2Permissions

Get-MgServicePrincipal

Get-MgServicePrincipal from Microsoft.Graph module calls Microsoft Graph internally.

In PowerShell 7,

Install-Module -Name Microsoft.Graph
Connect-MgGraph -Scopes "Application.Read.All" -TenantId 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a
$msGraphService = Get-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
ConvertTo-Json $msGraphService

According to servicePrincipal resource type,

• Application permissions appear under AppRoles
• Delegated permissions appear under oauth2PermissionScopes << Note the name change

Some findings (LT; DR)

I tried AzureAD in PowerShell 7, but hit a failure (https://github.com/PowerShell/PowerShell/issues/11564), so I used -UseWindowsPowerShell:

Install-Module AzureAD
Import-Module AzureAD -UseWindowsPowerShell
Connect-AzureAD -TenantId 54826b22-38d6-4fb2-bad9-b7b93a3e9c5a
$msGraphService = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"
ConvertTo-Json $msGraphService

The result is corrupted, perhaps because

WARNING: Module AzureAD is loaded in Windows PowerShell using WinPSCompatSession remoting session; please note that all input and output of commands from this module will be deserialized objects. If you want to load this module into PowerShell Core please use 'Import-Module -SkipEditionCheck' syntax.

> $msGraphService.AppRoles[0].GetType()

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     String

Not sure if there is any fix/workaround for this issue.

Meanwhile, let me refine the help message for az ad app permission add.