Forum Discussion
Graph permission question
Hi
I am new to Graph PowerShell, But let me explain the problem and correct for me if I miss understand anything.
The Microsoft Graph PowerShell application has the following permission in the with the admin consent.
- User.ReadWrite.All Delegated(This permission are granted for Admin1)
User1 need to connect and fetch some data using Graph PowerShell and need to use only User.Read.all delegated scope.
But when User1 login. he also have User.ReadWrite.All
It seems that any delegate authentcation are granted all permission assigned to the application.
How can I seperate the permission and only assign User.Read.All to User1 and User.ReadWrite.All to Admin1
Thanks
3 Replies
Hello niazstinu,
Probably this could help: Grant consent on behalf of a single user - Microsoft Entra | Microsoft Docs
If not, you can try the following:
- Go to the application -> Permission -> Review Permission -> This application has more permissions than I want.
- Revoke all permissions granted to the application
- Then try to connect to this app with Admin1 and grant permission, do not consent permission for the entire tenant but for the admin user only
- Then connect to this app with User1 and get the required Read permission for this user.
- Hi
This should do your job: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps#assign-users-and-groups-to-roles
Best AxelThanks for your answre, but I can only see Default Access.
Is it possibel to assign like User.Read.All --To --> User1 only ..As I read this has to be done though App Registration, but there is no App for Graph PowerShell, its only in the enterprise app.
