Forum Discussion

SystemEngineer's avatar
SystemEngineer
Iron Contributor
Jun 28, 2022
Solved

Microsoft Graph Required Scopes list ?

Hi All,   How and where can I get the PowerShell Graph Required Scopes list? I need to get the list of all ReadOnly scopes like:   'User.Read.All', 'Group.Read.All', 'UserAuthenticationMethod....
Windows PowerShell
  • LainRobertson's avatar
    LainRobertson
    Jun 28, 2022

    farismalaeb 

     

    If you really want to get funky, just pull it from PowerShell.

     

    This is something I do (though not this way) in identity management to dynamically cater to the addition and removal (not that I've actually seen a removal) of app roles when I'm flagging users with privileged rights in key Azure platforms.

     

    Anyhow, to keep things simple, this example uses the Get-MgServicePrincipal commandlet against the beta endpoint.

     

    Get-MgServicePrincipal (Microsoft.Graph.Applications) | Microsoft Docs

     

    (Get-MgServicePrincipal -ServicePrincipalId 0e5cbc2e-764b-4147-8ac8-429decdbb48a -Property AppRoles).AppRoles |
    Where-Object { $_.Value -match "(read)(?!.*write)" } |
        ForEach-Object {
            [PSCustomObject] @{
                Id = $_.Id;
                Name = $_.Value;
                Enabled = $_.IsEnabled;
                DisplayName = $_.DisplayName;
                AppliesTo = $_.AllowedMemberTypes;
            }
        } | Sort-Object -Property Name | Format-Table -AutoSize;

     

    Which produces the following output (there's more results than can fit on the screen, so take this as a guide only.)

     

     

    Clearly, you can fiddle with the "where" clause to your heart's content to include more or reduce it further.

     

    Cheers,

    Lain

Resources