- Microsoft Identity Platform - Introduction
- Register Azure AD App
- OAuth Protocols
- Code Sample - Using MSAL Package React SPA
- Code Sample - Modern Auth in SharePoint Online
- MSAL Library to authenticate .Net Apps
- Conditional Access Policies
- Replace the placeholder
{TENANT_ID}
and{APPLICATION_ID}
with actual values. - Hit the Url in the browser. Url : https://login.microsoftonline.com/{TENANT_ID}/adminconsent?client_id={APPLICATION_ID}
- Grant the admin consent.
Connect-AzureAD
$aadAppObjectId = "ac23bbc6-188e-4a90-875d-4dfa7ca7f689"
# Get Service Principal using objectId
$sp = Get-AzureADServicePrincipal -ObjectId $aadAppObjectId
# Get all delegated permissions for the service principal
$spOAuth2PermissionsGrants = Get-AzureADOAuth2PermissionGrant -All $true| Where-Object { $_.clientId -eq $sp.ObjectId }
# Remove all delegated permissions
$spOAuth2PermissionsGrants | ForEach-Object {
Remove-AzureADOAuth2PermissionGrant -ObjectId $_.ObjectId
}
# Get all application permissions for the service principal
$spApplicationPermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId $sp.ObjectId -All $true | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }
# Remove all application permissions
$spApplicationPermissions | ForEach-Object {
Remove-AzureADServiceAppRoleAssignment -ObjectId $_.PrincipalId -AppRoleAssignmentId $_.objectId
}
-
Get all Delegated Permissions : Make a GET Request on below API endpoint in Graph Explorer https://graph.microsoft.com/beta/serviceprincipals/{OBJECT_ID}/oAuth2Permissiongrants
-
Save the JSON for references Example -
{ "clientId": "29575e06-7251-4ab4a-6232d342c25a", "consentType": "AllPrincipals", "expiryTime": "2021-11-22T03:59:48.2996865Z", "id": "Bl5XKVFyN02rSmIy00LCWOgWqROsP9pim_Rw_g", "principalId": null, "resourceId": "a3e61042-5aa0-b0ff-698a6fd1c3f8", "scope": "Directory.AccessAsUser.All", "startTime": "0001-01-01T00:00:00Z" },
-
Make a note of ID of delegated permission group
-
User graph explorer to make PATCH Request to below endpoint with mentioned request body format. https://graph.microsoft.com/beta/oAuth2Permissiongrants/{id}
Request Body : { "scope": "Group.ReadWrite.All Directory.AccessAsUser.All" }