Forum Discussion
Microsoft Graph Required Scopes list ?
Hi All,
How and where can I get the PowerShell Graph Required Scopes list?
I need to get the list of all ReadOnly scopes like:
'User.Read.All',
'Group.Read.All',
'UserAuthenticationMethod.Read.All'
Thanks in advance.
Any help would be greatly appreciated.
If you really want to get funky, just pull it from PowerShell.
This is something I do (though not this way) in identity management to dynamically cater to the addition and removal (not that I've actually seen a removal) of app roles when I'm flagging users with privileged rights in key Azure platforms.
Anyhow, to keep things simple, this example uses the Get-MgServicePrincipal commandlet against the beta endpoint.
Get-MgServicePrincipal (Microsoft.Graph.Applications) | Microsoft Docs
(Get-MgServicePrincipal -ServicePrincipalId 0e5cbc2e-764b-4147-8ac8-429decdbb48a -Property AppRoles).AppRoles | Where-Object { $_.Value -match "(read)(?!.*write)" } | ForEach-Object { [PSCustomObject] @{ Id = $_.Id; Name = $_.Value; Enabled = $_.IsEnabled; DisplayName = $_.DisplayName; AppliesTo = $_.AllowedMemberTypes; } } | Sort-Object -Property Name | Format-Table -AutoSize;Which produces the following output (there's more results than can fit on the screen, so take this as a guide only.)
Clearly, you can fiddle with the "where" clause to your heart's content to include more or reduce it further.
Cheers,
Lain
7 Replies
There is also another way to find all the read-only scope if you have Azure AD.
Open Azure AD --> Enterprise Application -- > Consent and Permissions --> Permissions Classifications
Click Add Permission and select Microsoft GraphIn the search, type Read and the list will be filtered to include all the scopes with its Read permissions
Maybe there is a faster way to access this list, but this is how I go there.
If you really want to get funky, just pull it from PowerShell.
This is something I do (though not this way) in identity management to dynamically cater to the addition and removal (not that I've actually seen a removal) of app roles when I'm flagging users with privileged rights in key Azure platforms.
Anyhow, to keep things simple, this example uses the Get-MgServicePrincipal commandlet against the beta endpoint.
Get-MgServicePrincipal (Microsoft.Graph.Applications) | Microsoft Docs
(Get-MgServicePrincipal -ServicePrincipalId 0e5cbc2e-764b-4147-8ac8-429decdbb48a -Property AppRoles).AppRoles | Where-Object { $_.Value -match "(read)(?!.*write)" } | ForEach-Object { [PSCustomObject] @{ Id = $_.Id; Name = $_.Value; Enabled = $_.IsEnabled; DisplayName = $_.DisplayName; AppliesTo = $_.AllowedMemberTypes; } } | Sort-Object -Property Name | Format-Table -AutoSize;Which produces the following output (there's more results than can fit on the screen, so take this as a guide only.)
Clearly, you can fiddle with the "where" clause to your heart's content to include more or reduce it further.
Cheers,
Lain
Many thanks for the confirmation and the explanation.The code throws an error like below:
Get-MgServicePrincipal : Resource '0e5cbc2e-764b-4147-8ac8-429decdbb48a' does not exist or one of its queried reference-property objects are not present. At line:1 char:1 + (Get-MgServicePrincipal -ServicePrincipalId 0e5cbc2e-764b-4147-8ac8-4 ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: ({ ServicePrinci...ndProperty = }:<>f__AnonymousType75`3) [Get-MgServicePrincipal_Get], RestException`1 + FullyQualifiedErrorId : Request_ResourceNotFound,Microsoft.Graph.PowerShell.Cmdlets.GetMgServicePrincipal_Get
Microsoft Graph permissions reference - Microsoft Graph | Microsoft Docs
There's lots as they are application-specific.
You'll likely be interested in the ones you've listed below along with those from "Directory".
Cheers,
Lain
