top of page

How to add delegated permission grant in Entra

  • romanvitsinskyi
  • Jun 11
  • 2 min read

Updated: Jun 22

Delegated permission grant (represented by an oAuth2PermissionGrant) are user consented permission you see on 'Permissions' tab in every Enterprise Application.

List of user consented permissions for app registration in Entra admin portal
Example of user consented permissions

However, Entra doesn't provide a way for administrators to conveniently assign permission to individual users via Entra Portal GUI. If you admin consent delegated permission from Entra portal, it will be consented for everyone who has access to application. Not recommended and bad security practice. If, for example, you need to grand someone in Helpdesk Graph API permission Users.ReadWrite.All, you don't want everyone assigned to Graph API application to have this permission.


The solution is fairly simple but not well documented. Use below PowerShell code to get the job done:

Connect-MgGraph -Scopes "User.Read.All","Group.Read.All", "DelegatedPermissionGrant.ReadWrite.All"
$resourceSpn = "https://graph.microsoft.com"
$resource = Get-MgServicePrincipal -Filter "servicePrincipalNames/any(n:n eq '$resourceSpn')" # Application which has API permissions you're assigning. In this case it's Graph API but it could be O365 Management API for example, or your own custom API permission.
$permissions = @("User.Read.All", "Device.Read.All")
$scopeToGrant = $permissions -join " "
$clientSP = Get-MgServicePrincipal -Filter "DisplayName eq 'Microsoft Graph PowerShell'" # application where you're adding permission. $resource from above and $clientSP match here but it's not always the case.
# or $clientSP = Get-MgServicePrincipal -Filter "AppID eq ''"
$PrincipalID = "objectID of a user you want to assign permission to"
$grant = New-MgOauth2PermissionGrant -ResourceId $resource.Id -Scope $scopeToGrant -ClientId $clientSP.Id -PrincipalId $PrincipalID -ConsentType "Principal" # -StartTime $(Get-Date) -ExpiryTime $((Get-Date).AddDays(30))

if user already has at least one permission (aka scope) assigned, use this instead

# Update existing access
$ExistingAdminConsent = Get-MgOauth2PermissionGrant -All | Where-Object { $_.clientId -eq $($clientSP.Id) -AND $_.PrincipalId -eq $PrincipalID}
Update-MgOAuth2PermissionGrant -ResourceId $resource.Id -Scope $scopeToGrant -ClientId $clientSP.Id -PrincipalId $PrincipalID -ConsentType "Principal" -OAuth2PermissionGrantId $ExistingAdminConsent.Id

References:

 
 
bottom of page