PolicyId "mytenant-all-application-permissions-except-a-few" ` # Create the permission grants allowing all application permissions for the Graph API Description "Permissions consentable by Application Administrators (Level 2)" DisplayName "All application permissions, for any client app except a few selected ones" ` Id "mytenant-all-application-permissions-except-a-few" ` That means someone could potentially consent to an application level permission for the Exchange Online API to do a full_access_as_app as I am not disallowing anything to do with this API later on. I want to allow all permissions of the Graph API (because I selectively disable a few later), so if I don’t restrict the allowing also to just the Graph API it means any other APIs like (say) Exchange Online and PowerBI etc. Because if I leave that empty then it means all permissions of all APIs are allowed – and that’s not what we want here. As a best practice let’s also specify the resource application when defining what is allowed/ included.However, I don’t use the ObjectId property of the Service Principal but the AppId. When excluding I have to specify the resource application whose permissions I am excluding.I cannot create a policy having only exclusions as I have to define the set of policies that it is allowed in the first place and then exclude from that. I have to first include/ allow everything and then do an exclusion – i.e.I learnt a bunch of things through trial and error here so I’ll summarize them below: Read and write all Windows update deployment settings 7dd1be58-6e76-4401-bf8d-31d1e8180d5bĮ Read and write external connections f431331c-49a6-499f-be1c-62af19c34a9d Read and write presence information for all users 83cded22-8297-4ff6-a7fa-e97e9545a259 Read and write workforce integrations 202bf709-e8e6-478e-bcfd-5d63c50b68e3 Add these consent policies to custom roles that you create as detailed in this link (this is what applies the app consent policies to users & groups who have that custom role).Īll of this needs to be done via PowerShell, and some of these even require the AzureADPreview module (even though it’s been a year since release of this feature).įirst, install/ enable the preview module and connect to AzureAD.Create app consent policies as detailed in this link (this is what defines what consents someone can do), and.Looks like the ability to do this was released about a year ago. Typically you need to be either a Global Admin or a Privileged Role Admin to be able to do this, and that gives out a lot more permissions than needed. Or even allow application permissions but not certain type of application permissions. You know, maybe allow them to admin consent delegated permissions but not application permissions. Was trying to find out if there’s a way of letting others in our firm create App Registrations and add permissions to them, but limit what permissions they can admin consent to.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |