Coding Stephan

Assign additional permissions to service principal

You have a service principal in your tenant. Either you created it yourself or it’s a service principal for an app registration from another tenant (multi tenant application). Now this service principal needs access to an addition role. It’s not always possible to do a new admin consent sometimes you want the change just for a single service principal in a single tenant.

I wrote about this before, but since the Azure AD module is depreciated, it’s time to do the same with the new Microsoft Graph PowerShell module.

Grant an addition app role

# Change to you tenant ID, for easier login if you manage multiple tenants.
$tenant = "94ffb2b3-2e85-4a2e-a372-20b0c9c63f1e"

# Find the Object ID of the principal you want to assign extra Roles
$servicePrincipalObjectId = "b16a00c7-506d-4193-bafa-abba77cd46ce"

# Find the object ID of the Enterprise application you want to assign a role from
$apiServicePrincipalId = "5b13b67b-141a-4ba5-b369-29a2fc1ae090"
# The Value of the role, User-LifeCycleInfo.ReadWrite.All in this case of Graph.
$apiApplicationRole = "User-LifeCycleInfo.ReadWrite.All"

# No edits below this line
Connect-MgGraph -TenantId $tenant

# Load the service principal for the API (Graph in this case)
$apiServicePrincipal = Get-MgServicePrincipal -ServicePrincipalId $apiServicePrincipalId
# Find the correct role in the list
$apiRole = $apiServicePrincipal.AppRoles | Where-Object {$_.Value -eq $apiApplicationRole -and $_.AllowedMemberTypes -contains "Application"}

# Create a body object to post, see
$params = @{
  principalId = $servicePrincipalObjectId
  resourceId = $apiServicePrincipalId
  appRoleId = $apiRole.Id
# Create the Role Assignment (needs the apiServicePrincipalId in the body and in the URL, hence the double reference.)
New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $apiServicePrincipalId -BodyParameter $params

Series: MSGraph PowerShell