Grant-EasyAppPermissions
SYNOPSIS
Grant reqiured Graph API permissions to service principals.
SYNTAX
Grant-EasyAppPermissions [-ServicePrincipalId] <Guid> [[-AppRoles] <String[]>] [-WhatIf] [-Confirm]
[<CommonParameters>]
DESCRIPTION
This function uses New-MgServicePrincipalAppRoleAssignedTo to assign all required application permissions for the EasyLife365.Collaboration module to a service principal in your Entra ID. You can use this function to grant required permissions to managed identities of Azure Automation Accounts for Function Apps that run the EasyLife365.Collabotration powershell module and use Connect-EasyLife365 -Identity to sign in.
EXAMPLES
EXAMPLE 1
Grant-EasyAppPermissions -ServicePrincipalId da9ea79a-55d4-463f-b1a2-4b5ab1060909
This example grants the application permissions User.Read.All, Group.Read.All, Team.ReadBasic.All to the service principal with the id da9ea79a-55d4-463f-b1a2-4b5ab1060909.
EXAMPLE 2
Grant-EasyAppPermissions -ServicePrincipalId da9ea79a-55d4-463f-b1a2-4b5ab1060909 -AppRoles Write
This example grants the application permissions User.ReadWrite.All, Group.ReadWrite.All, Team.ReadBasic.All to the service principal with the id da9ea79a-55d4-463f-b1a2-4b5ab1060909.
EXAMPLE 3
Grant-EasyAppPermissions -ServicePrincipalId da9ea79a-55d4-463f-b1a2-4b5ab1060909 -AppRoles 'User.ReadWrite.All', 'Group.ReadWrite.All', 'Team.ReadBasic.All', 'Application.Read.All
This example grants a custom set of application permissions to the service principal with the id da9ea79a-55d4-463f-b1a2-4b5ab1060909.
PARAMETERS
-ServicePrincipalId
Use this parameter to specify the object id of the service principal that will be granted permissions.
Type: Guid
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-AppRoles
Use this parameter to specify which application permissions shall be granted to the service principal. Use 'Read' to grant User.Read.All, Group.Read.All, Team.ReadBasic.All. Use 'Write' to grant User.ReadWrite.All, Group.ReadWrite.All, Team.ReadBasic.All. Use a custom set of permissions by specifying the name of each application permission like this: 'Group.ReadWrite.All', 'Team.ReadBasic.All'.
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: 2
Default value: Read
Accept pipeline input: False
Accept wildcard characters: False
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.
INPUTS
None. You cannot pipe values to this cmdlet.
OUTPUTS
[MicrosoftGraphAppRoleAssignment] This function returns object of the type MicrosoftGraphAppRoleAssignment.
NOTES
This function requires the scopes AppRoleAssignment.ReadWrite.All and Application.Read.All only during setup. These application permissions will not be granted to the service principal. You can find the ServicePrincipalId in the Identity tab of the Automation Account or Function App in the Entra ID Portal.
RELATED LINKS
https://docs.easylife365.cloud/docs/add-ons/powershell/grant-easyapppermissions/