Merge pull request #217157 from omondiatieno/grant-admin-consent

tamarakhader · web-flow · commit 5a4e32c08931 · 2022-11-07T10:39:30.000-05:00
add zone pivots with Microsoft Graph content
diff --git a/articles/active-directory/manage-apps/grant-admin-consent.md b/articles/active-directory/manage-apps/grant-admin-consent.md
@@ -1,17 +1,18 @@
 ---
 title: Grant tenant-wide admin consent to an application 
-description: Learn how to grant tenant-wide consent to an application so that end-users are not prompted for consent when signing in to an application.
+description: Learn how to grant tenant-wide consent to an application so that end-users aren't prompted for consent when signing in to an application.
 services: active-directory
 author: eringreenlee
 manager: CelesteDG
 ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: how-to
-ms.date: 09/02/2022
+ms.date: 11/07/2022
 ms.author: ergreenl
 ms.collection: M365-identity-device-management
 ms.custom: contperf-fy22q2
+zone_pivot_groups: enterprise-apps-minus-aad-powershell
 
 #customer intent: As an admin, I want to grant tenant-wide admin consent to an application in Azure AD.
 ---
@@ -20,13 +21,11 @@ ms.custom: contperf-fy22q2
 
   In this article, you'll learn how to grant tenant-wide admin consent to an application in Azure Active Directory (Azure AD). To understand how individual users consent, see [Configure how end-users consent to applications](configure-user-consent.md).
 
-When you grant tenant-wide admin consent to an application, you give the application access on behalf of the whole organization to the permissions requested. Granting admin consent on behalf of an organization is a sensitive operation, potentially allowing the application's publisher access to significant portions of your organization's data, or the permission to do highly privileged operations. Examples of such operations might be role management, full access to all mailboxes or all sites, and full user impersonation.
+When you grant tenant-wide admin consent to an application, you give the application access on behalf of the whole organization to the permissions requested. Granting admin consent on behalf of an organization is a sensitive operation, potentially allowing the application's publisher access to significant portions of your organization's data, or the permission to do highly privileged operations. Examples of such operations might be role management, full access to all mailboxes or all sites, and full user impersonation. Carefully review the permissions that the application is requesting before you grant consent.
 
 By default, granting tenant-wide admin consent to an application will allow all users to access the application unless otherwise restricted. To restrict which users can sign-in to an application, configure the app to [require user assignment](application-properties.md#assignment-required) and then [assign users or groups to the application](assign-user-or-group-access-portal.md). 
 
-Tenant-wide admin consent to an app grants the app and the app's publisher access to your organization's data. Carefully review the permissions that the application is requesting before you grant consent. For more information on consenting to applications, see [Azure Active Directory consent framework](../develop/consent-framework.md).
-
-Granting tenant-wide admin consent may revoke any permissions which had previously been granted tenant-wide for that application. Permissions which have previously been granted by users on their own behalf will not be affected.
+Granting tenant-wide admin consent may revoke any permissions that had previously been granted tenant-wide for that application. Permissions that have previously been granted by users on their own behalf won't be affected.
 
 ## Prerequisites
 
@@ -43,6 +42,8 @@ To grant tenant-wide admin consent, you need:
 
 You can grant tenant-wide admin consent through *Enterprise applications* if the application has already been provisioned in your tenant. For example, an app could be provisioned in your tenant if at least one user has already consented to the application. For more information, see [How and why applications are added to Azure Active Directory](../develop/active-directory-how-applications-are-added.md).
 
+:::zone pivot="portal"
+
 To grant tenant-wide admin consent to an app listed in **Enterprise applications**:
 
 1. Sign in to the [Azure portal](https://portal.azure.com) with one of the roles listed in the prerequisites section.
@@ -81,6 +82,145 @@ where:
 
 As always, carefully review the permissions an application requests before granting consent.
 
+
+:::zone-end
+
+
+:::zone pivot="ms-powershell"
+
+In the following example, you'll grant delegated permissions defined by a resource enterprise application to a client enterprise application on behalf of all users.
+
+In the example, the resource enterprise application is Microsoft Graph of object ID `7ea9e944-71ce-443d-811c-71e8047b557a`. The Microsoft Graph defines the delegated permissions, `User.Read.All` and `Group.Read.All`. The consentType is `AllPrincipals`, indicating that you're consenting on behalf of all users in the tenant. The object ID of the client enterprise application is `b0d9b9e3-0ecf-4bfd-8dab-9273dd055a941`.
+
+> [!CAUTION] 
+> Be careful! Permissions granted programmatically are not subject to review or confirmation. They take effect immediately.
+
+## Grant admin consent for delegated permissions
+
+1. Connect to Microsoft Graph PowerShell:
+
+   ```powershell
+   Connect-MgGraph -Scopes "Application.ReadWrite.All", "DelegatedPermissionGrant.ReadWrite.All"
+   ```
+
+1. Retrieve all the delegated permissions defined by Microsoft graph (the resource application) in your tenant application. Identify the delegated permissions that you'll grant the client application. In this example, the delegation permissions are `User.Read.All` and `Group.Read.All`
+   
+   ```powershell
+   Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'" -Property Oauth2PermissionScopes | Select -ExpandProperty Oauth2PermissionScopes | fl
+   ```
+
+1. Grant the delegated permissions to the client enterprise application by running the following request.
+   
+```powershell
+$params = @{
+  
+  "ClientId" = "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94"
+  "ConsentType" = "AllPrincipals"
+  "ResourceId" = "7ea9e944-71ce-443d-811c-71e8047b557a"
+  "Scope" = "User.Read.All Group.Read.All"
+}
+
+New-MgOauth2PermissionGrant -BodyParameter $params | 
+  Format-List Id, ClientId, ConsentType, ResourceId, Scope
+```
+     
+1. Confirm that you've granted tenant wide admin consent by running the following request.   
+    
+  ```powershell
+   Get-MgOauth2PermissionGrant-Filter "clientId eq 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94' consentType eq 'AllPrincipals'" 
+  ```      
+## Grant admin consent for application permissions
+
+In the following example, you grant the Microsoft Graph enterprise application (the principal of ID `b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94`) an app role (application permission) of ID `df021288-bdef-4463-88db-98f22de89214` that's exposed by a resource enterprise application of ID `7ea9e944-71ce-443d-811c-71e8047b557a`.
+
+1. Connect to Microsoft Graph PowerShell:
+
+   ```powershell
+   Connect-MgGraph -Scopes "Application.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"
+   ```
+
+1. Retrieve the app roles defined by Microsoft graph in your tenant. Identify the app role that you'll grant the client enterprise application. In this example, the app role ID is `df021288-bdef-4463-88db-98f22de89214`.
+
+   ```powershell
+   Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'" -Property AppRoles | Select -ExpandProperty appRoles |fl
+   ```
+  
+1. Grant the application permission (app role) to the client enterprise application by running the following request.
+
+```powershell
+ $params = @{
+  "PrincipalId" ="b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94"
+  "ResourceId" = "2cab1707-656d-40cc-8522-3178a184e03d"
+  "AppRoleId" = "df021288-bdef-4463-88db-98f22de89214"
+}
+
+New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId '2cab1707-656d-40cc-8522-3178a184e03d' -BodyParameter $params | 
+  Format-List Id, AppRoleId, CreatedDateTime, PrincipalDisplayName, PrincipalId, PrincipalType, ResourceDisplayName
+```
+
+:::zone-end
+
+:::zone pivot="ms-graph"
+
+Use [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer) to grant both delegated and application permissions. 
+
+## Grant admin consent for delegated permissions
+
+In the following example, you'll grant delegated permissions defined by a resource enterprise application to a client enterprise application on behalf of all users.
+
+In the example, the resource enterprise application is Microsoft Graph of object ID `7ea9e944-71ce-443d-811c-71e8047b557a`. The Microsoft Graph defines the delegated permissions, `User.Read.All` and `Group.Read.All`. The consentType is `AllPrincipals`, indicating that you're consenting on behalf of all users in the tenant. The object ID of the client enterprise application is `b0d9b9e3-0ecf-4bfd-8dab-9273dd055a941`.
+
+> [!CAUTION] 
+> Be careful! Permissions granted programmatically are not subject to review or confirmation. They take effect immediately.
+
+1. Retrieve all the delegated permissions defined by Microsoft graph (the resource application) in your tenant application. Identify the delegated permissions that you'll grant the client application. In this example, the delegation permissions are `User.Read.All` and `Group.Read.All`
+   
+   ```http
+   GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=displayName eq 'Microsoft Graph'&$select=id,displayName,appId,oauth2PermissionScopes
+   ```
+
+1. Grant the delegated permissions to the client enterprise application by running the following request.
+   
+   ```http   
+   POST https://graph.microsoft.com/v1.0/oauth2PermissionGrants
+   
+   Request body
+   {
+      "clientId": "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94",
+      "consentType": "AllPrincipals",
+      "resourceId": "7ea9e944-71ce-443d-811c-71e8047b557a",
+      "scope": "User.Read.All Group.Read.All"
+   }
+   ```
+1. Confirm that you've granted tenant wide admin consent by running the following request.
+
+   ```http
+   GET https://graph.microsoft.com/v1.0/oauth2PermissionGrants?$filter=clientId eq 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94' and consentType eq 'AllPrincipals'
+   ```
+## Grant admin consent for application permissions
+
+In the following example, you grant the Microsoft Graph enterprise application (the principal of ID `b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94`) an app role (application permission) of ID `df021288-bdef-4463-88db-98f22de89214` that's exposed by a resource enterprise application of ID `7ea9e944-71ce-443d-811c-71e8047b557a`.
+
+1. Retrieve the app roles defined by Microsoft graph in your tenant. Identify the app role that you'll grant the client enterprise application. In this example, the app role ID is `df021288-bdef-4463-88db-98f22de89214`
+
+   ```http
+   GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=displayName eq 'Microsoft Graph'&$select=id,displayName,appId,appRoles
+   ```
+1. Grant the application permission (app role) to the client enterprise application by running the following request.
+
+   ```http
+   POST https://graph.microsoft.com/v1.0/servicePrincipals/7ea9e944-71ce-443d-811c-71e8047b557a/appRoleAssignedTo
+   
+   Request body
+
+   {
+      "principalId": "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94",
+      "resourceId": "7ea9e944-71ce-443d-811c-71e8047b557a",
+      "appRoleId": "df021288-bdef-4463-88db-98f22de89214"
+   }
+   ```
+:::zone-end
+
 ## Next steps
 
 [Configure how end-users consent to applications](configure-user-consent.md)
diff --git a/articles/active-directory/manage-apps/manage-application-permissions.md b/articles/active-directory/manage-apps/manage-application-permissions.md
@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.subservice: app-mgmt
 ms.workload: identity
 ms.topic: how-to
-ms.date: 10/23/2021
+ms.date: 11/07/2022
 ms.author: jawoods
 ms.reviewer: phsignor
 zone_pivot_groups: enterprise-apps-minus-graph
@@ -18,11 +18,11 @@ ms.collection: M365-identity-device-management
 
 ---
 
-# Review permissions granted to applications
+# Review permissions granted to enterprise applications
 
 In this article, you'll learn how to review permissions granted to applications in your Azure Active Directory (Azure AD) tenant. You may need to review permissions when you've detected a malicious application or the application has been granted more permissions than is necessary.
 
-The steps in this article apply to all applications that were added to your Azure Active Directory (Azure AD) tenant via user or admin consent. For more information on consenting to applications, see [Azure Active Directory consent framework](../develop/consent-framework.md).
+The steps in this article apply to all applications that were added to your Azure Active Directory (Azure AD) tenant via user or admin consent. For more information on consenting to applications, see [User and admin consent](user-admin-consent-overview.md).
 
 ## Prerequisites
 
@@ -32,7 +32,7 @@ To review permissions granted to applications, you need:
 - One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator.
 - A Service principal owner who isn't an administrator is able to invalidate refresh tokens.
 
-## Review application permissions
+## Review permissions
 
 :::zone pivot="portal"
 
@@ -53,6 +53,9 @@ Each option generates PowerShell scripts that enable you to control user access
 
 :::zone pivot="aad-powershell"
 
+## Revoke permissions
+
+
 Using the following Azure AD PowerShell script revokes all permissions granted to an application.
 
 ```powershell
@@ -72,7 +75,7 @@ $spOAuth2PermissionsGrants | ForEach-Object {
 # Get all application permissions for the service principal
 $spApplicationPermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId $sp.ObjectId -All $true | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }
 
-# Remove all delegated permissions
+# Remove all application permissions
 $spApplicationPermissions | ForEach-Object {
     Remove-AzureADServiceAppRoleAssignment -ObjectId $_.PrincipalId -AppRoleAssignmentId $_.objectId
 }
@@ -107,7 +110,7 @@ $sp = Get-MgServicePrincipal -ServicePrincipalID "$ServicePrincipalID"
 
 Example: Get-MgServicePrincipal -ServicePrincipalId '22c1770d-30df-49e7-a763-f39d2ef9b369'
 
-# Get all application permissions for the service principal
+# Get all delegated permissions for the service principal
 $spOAuth2PermissionsGrants= Get-MgOauth2PermissionGrant -All| Where-Object { $_.clientId -eq $sp.Id }
 
 # Remove all delegated permissions
