Forum Discussion
Microsoft Graph Required Scopes list ?
If you really want to get funky, just pull it from PowerShell.
This is something I do (though not this way) in identity management to dynamically cater to the addition and removal (not that I've actually seen a removal) of app roles when I'm flagging users with privileged rights in key Azure platforms.
Anyhow, to keep things simple, this example uses the Get-MgServicePrincipal commandlet against the beta endpoint.
Get-MgServicePrincipal (Microsoft.Graph.Applications) | Microsoft Docs
(Get-MgServicePrincipal -ServicePrincipalId 0e5cbc2e-764b-4147-8ac8-429decdbb48a -Property AppRoles).AppRoles | Where-Object { $_.Value -match "(read)(?!.*write)" } | ForEach-Object { [PSCustomObject] @{ Id = $_.Id; Name = $_.Value; Enabled = $_.IsEnabled; DisplayName = $_.DisplayName; AppliesTo = $_.AllowedMemberTypes; } } | Sort-Object -Property Name | Format-Table -AutoSize;Which produces the following output (there's more results than can fit on the screen, so take this as a guide only.)
Clearly, you can fiddle with the "where" clause to your heart's content to include more or reduce it further.
Cheers,
Lain
If you really want to get funky, just pull it from PowerShell.
This is something I do (though not this way) in identity management to dynamically cater to the addition and removal (not that I've actually seen a removal) of app roles when I'm flagging users with privileged rights in key Azure platforms.
Anyhow, to keep things simple, this example uses the Get-MgServicePrincipal commandlet against the beta endpoint.
Get-MgServicePrincipal (Microsoft.Graph.Applications) | Microsoft Docs
(Get-MgServicePrincipal -ServicePrincipalId 0e5cbc2e-764b-4147-8ac8-429decdbb48a -Property AppRoles).AppRoles |
Where-Object { $_.Value -match "(read)(?!.*write)" } |
ForEach-Object {
[PSCustomObject] @{
Id = $_.Id;
Name = $_.Value;
Enabled = $_.IsEnabled;
DisplayName = $_.DisplayName;
AppliesTo = $_.AllowedMemberTypes;
}
} | Sort-Object -Property Name | Format-Table -AutoSize;
Which produces the following output (there's more results than can fit on the screen, so take this as a guide only.)
Clearly, you can fiddle with the "where" clause to your heart's content to include more or reduce it further.
Cheers,
Lain
Many thanks for the confirmation and the explanation.
The code throws an error like below:
Get-MgServicePrincipal : Resource '0e5cbc2e-764b-4147-8ac8-429decdbb48a' does not exist or one of its queried reference-property objects are not present.
At line:1 char:1
+ (Get-MgServicePrincipal -ServicePrincipalId 0e5cbc2e-764b-4147-8ac8-4 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: ({ ServicePrinci...ndProperty = }:<>f__AnonymousType75`3) [Get-MgServicePrincipal_Get], RestException`1
+ FullyQualifiedErrorId : Request_ResourceNotFound,Microsoft.Graph.PowerShell.Cmdlets.GetMgServicePrincipal_Get
Hmm, I'm not sure what the issue there is. The error's straightforward enough but I can't say from what error why you're getting it.
The GUID of 0e5cbc2e-764b-4147-8ac8-429decdbb48a is well-defined by Microsoft, meaning so long as you're authenticated, you should be able to see it. I'm not sure why you're getting an error saying it doesn't exist.
I logged in with my normal, completely unprivileged account and successfully ran a Get-MgServicePrincipal commandlet - meaning it's not likely to be a permissions issue:
I even ran the block I posted above from last year under this normal account without issue.
You could try the following alternative to see if you get anything back but my instinct tells me you're going to get the same outcome:
Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'"The commandlet version on my host is as follows:
Cheers,
Lain