Skip to main content
HashnodeDo it PowerShell way :)Do it PowerShell way :)

Command Palette

Search for a command to run...

Granting Azure Application consent on behalf of the user

Published
2 min read
Granting Azure Application consent on behalf of the user
O
Ondrej Sebela

I work as System Administrator for more than 15 years now and I love to make my life easier by automating work & personal stuff via PowerShell (even silly things like food recipes list generation).

Part of seriesAzure

There can be situations where you need to grant application consent on behalf of the user. Our use case occurred when we remove permission to grant application user consent from our users. The reason behind this was to minimize the risk of users granting permissions to the malicious applications.

When you remove such permission from the users, they will need to ask for admin consent every time, they will want to use the new Azure application. Monitoring of such requests was mentioned in Automatic Jira ticket creation for Azure application admin consent requests post.

To be able to quickly grant permission consents on behalf of our users I've created PowerShell function Add-AzureADAppUserConsent which is part of my AzureADStuff module.

This function depends on a couple of modules: AzureAD, Microsoft.Graph.Authentication, Microsoft.Graph.Applications, Microsoft.Graph.Users, Microsoft.Graph.Identity.SignIns

How to use

Install-Module AzureADStuff -Scope CurrentUser

Import-Module AzureADStuff

Connect-AzureAD

# a) grant consent on behalf of the "john@contoso.onmicrosoft.com" user to application "Salesforce Inbox" (has ID 00b263e4-3497-4650-b082-3197cfdfdd7c) 
# based on one of the existing user consents
Add-AzureADAppUserConsent -clientAppId "00b263e4-3497-4650-b082-3197cfdfdd7c" -copyExistingConsent -userUpnOrId "john@contoso.onmicrosoft.com"

# b) grant specific consent on behalf of the "john@contoso.onmicrosoft.com" user to application "Salesforce Inbox" (00b263e4-3497-4650-b082-3197cfdfdd7c)
# over resource (ent. application) "Office 365 Exchange Online" (02ad85cd-02ce-4902-a319-1af611526021) and "Windows Azure Active Directory" (88690023-f9e1-4728-9028-cdcc6bf67d22).
$consent = @{
        # Windows Azure Active Directory permissions
        "88690023-f9e1-4728-9028-cdcc6bf67d22" = "User.Read"
        # Office 365 Exchange Online permissions
        "02ad85cd-02ce-4902-a319-1af611526021" = "User.Read", "Contacts.ReadWrite", "Calendars.ReadWrite", "Mail.Send", "Mail.ReadWrite", "EWS.AccessAsUser.All"
    }
Add-AzureADAppUserConsent -clientAppId "00b263e4-3497-4650-b082-3197cfdfdd7c" -consent $consent -userUpnOrId "john@contoso.onmicrosoft.com"
#powershell#azure

Comments

Join the discussion

No comments yet. Be the first to comment.

Azure

Part 19 of 24
Up next

How to authenticate to Azure from DevOps Pipeline PowerShell task

We have a repository where Azure Automation Runbooks are stored and we wanted to automatically publish every new version automatically into the Azure Automation Resource account. Azure Pipeline was an obvious solution. Still, it took me some time to ...

More from this blog

D

Do it PowerShell way :)

78 posts

With over 15 years of experience as a system administrator, I have a passion for automating workflows using PowerShell. I believe in sharing my creations with the community. Why not, right? :)