SOLVED

Microsoft Graph Required Scopes list ?

Iron Contributor

Hi All,

 

How and where can I get the PowerShell Graph Required Scopes list?
I need to get the list of all ReadOnly scopes like:

 

'User.Read.All',
'Group.Read.All',
'UserAuthenticationMethod.Read.All'

 

Thanks in advance.

 

Any help would be greatly appreciated.

7 Replies

@SystemEngineer 

 

Microsoft Graph permissions reference - Microsoft Graph | Microsoft Docs

 

There's lots as they are application-specific.

 

You'll likely be interested in the ones you've listed below along with those from "Directory".

 

Cheers,

Lain

@SystemEngineer 

There is also another way to find all the read-only scope if you have Azure AD.
Open Azure AD --> Enterprise Application -- > Consent and Permissions --> Permissions Classifications
Click Add Permission and select Microsoft Graph

In the search, type Read and the list will be filtered to include all the scopes with its Read permissions

 

Maybe there is a faster way to access this list, but this is how I go there.

 

best response confirmed by SystemEngineer (Iron Contributor)
Solution

@farismalaeb 

 

If you really want to get funky, just pull it from PowerShell.

 

This is something I do (though not this way) in identity management to dynamically cater to the addition and removal (not that I've actually seen a removal) of app roles when I'm flagging users with privileged rights in key Azure platforms.

 

Anyhow, to keep things simple, this example uses the Get-MgServicePrincipal commandlet against the beta endpoint.

 

Get-MgServicePrincipal (Microsoft.Graph.Applications) | Microsoft Docs

 

(Get-MgServicePrincipal -ServicePrincipalId 0e5cbc2e-764b-4147-8ac8-429decdbb48a -Property AppRoles).AppRoles |
    Where-Object { $_.Value -match "(read)(?!.*write)" } |
        ForEach-Object {
            [PSCustomObject] @{
                Id = $_.Id;
                Name = $_.Value;
                Enabled = $_.IsEnabled;
                DisplayName = $_.DisplayName;
                AppliesTo = $_.AllowedMemberTypes;
            }
        } | Sort-Object -Property Name | Format-Table -AutoSize;

 

Which produces the following output (there's more results than can fit on the screen, so take this as a guide only.)

 

LainRobertson_0-1656410306030.png

 

Clearly, you can fiddle with the "where" clause to your heart's content to include more or reduce it further.

 

Cheers,

Lain

Thanks, Lain for the addition.
having multiple ways of doing a certain task is great, as it helps everyone in the community in finding their preferred approach

Cheers

@LainRobertson,


Many thanks for the confirmation and the explanation.

 

The code throws an error like below:

Get-MgServicePrincipal : Resource '0e5cbc2e-764b-4147-8ac8-429decdbb48a' does not exist or one of its queried reference-property objects are not present.
At line:1 char:1
+ (Get-MgServicePrincipal -ServicePrincipalId 0e5cbc2e-764b-4147-8ac8-4 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: ({ ServicePrinci...ndProperty =  }:<>f__AnonymousType75`3) [Get-MgServicePrincipal_Get], RestException`1
    + FullyQualifiedErrorId : Request_ResourceNotFound,Microsoft.Graph.PowerShell.Cmdlets.GetMgServicePrincipal_Get

 

@SystemEngineer 

 

Hmm, I'm not sure what the issue there is. The error's straightforward enough but I can't say from what error why you're getting it.

 

The GUID of 0e5cbc2e-764b-4147-8ac8-429decdbb48a is well-defined by Microsoft, meaning so long as you're authenticated, you should be able to see it. I'm not sure why you're getting an error saying it doesn't exist.

 

I logged in with my normal, completely unprivileged account and successfully ran a Get-MgServicePrincipal commandlet - meaning it's not likely to be a permissions issue:

 

LainRobertson_0-1689000878281.png

 

I even ran the block I posted above from last year under this normal account without issue.

 

You could try the following alternative to see if you get anything back but my instinct tells me you're going to get the same outcome:

 

Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'"

 

LainRobertson_2-1689001211192.png

 

The commandlet version on my host is as follows:

 

LainRobertson_1-1689000964929.png

 

Cheers,

Lain

1 best response

Accepted Solutions
best response confirmed by SystemEngineer (Iron Contributor)
Solution

@farismalaeb 

 

If you really want to get funky, just pull it from PowerShell.

 

This is something I do (though not this way) in identity management to dynamically cater to the addition and removal (not that I've actually seen a removal) of app roles when I'm flagging users with privileged rights in key Azure platforms.

 

Anyhow, to keep things simple, this example uses the Get-MgServicePrincipal commandlet against the beta endpoint.

 

Get-MgServicePrincipal (Microsoft.Graph.Applications) | Microsoft Docs

 

(Get-MgServicePrincipal -ServicePrincipalId 0e5cbc2e-764b-4147-8ac8-429decdbb48a -Property AppRoles).AppRoles |
    Where-Object { $_.Value -match "(read)(?!.*write)" } |
        ForEach-Object {
            [PSCustomObject] @{
                Id = $_.Id;
                Name = $_.Value;
                Enabled = $_.IsEnabled;
                DisplayName = $_.DisplayName;
                AppliesTo = $_.AllowedMemberTypes;
            }
        } | Sort-Object -Property Name | Format-Table -AutoSize;

 

Which produces the following output (there's more results than can fit on the screen, so take this as a guide only.)

 

LainRobertson_0-1656410306030.png

 

Clearly, you can fiddle with the "where" clause to your heart's content to include more or reduce it further.

 

Cheers,

Lain

View solution in original post