Merge pull request #194180 from psignoret/patch-19

Fixing spacing and pre-requisites

Author: PRMerger-2

articles/active-directory/manage-apps/grant-consent-single-user.md

@@ -31,8 +31,7 @@ When a user grants consent on his or her own behalf, the following events occur:
 
 To grant consent to an application on behalf of one user, you need:
 
-- A user account. If you don't already have one, you can [create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
-- A Global Administrator or Privileged Administrator role.
+- A user account with Global Administrator, Application Administrator, or Cloud Application Administrator
 
 ## Grant consent on behalf of a single user
 
@@ -48,16 +47,20 @@ For this example, we'll use [Microsoft Graph PowerShell](/graph/powershell/get-s
 # The app for which consent is being granted. In this example, we're granting access
 # to Microsoft Graph Explorer, an application published by Microsoft.
 $clientAppId = "de8bc8b5-d9f9-48b1-a8ad-b748da725064" # Microsoft Graph Explorer
+
 # The API to which access will be granted. Microsoft Graph Explorer makes API 
 # requests to the Microsoft Graph API, so we'll use that here.
 $resourceAppId = "00000003-0000-0000-c000-000000000000" # Microsoft Graph API
+
 # The permissions to grant. Here we're including "openid", "profile", "User.Read"
 # and "offline_access" (for basic sign-in), as well as "User.ReadBasic.All" (for 
 # reading other users' basic profile).
 $permissions = @("openid", "profile", "offline_access", "User.Read", "User.ReadBasic.All")
+
 # The user on behalf of whom access will be granted. The app will be able to access 
 # the API on behalf of this user.
 $userUpnOrId = "[email protected]"
+
 # Step 0. Connect to Microsoft Graph PowerShell. We need User.ReadBasic.All to get
 #    users' IDs, Application.ReadWrite.All to list and create service principals, 
 #    DelegatedPermissionGrant.ReadWrite.All to create delegated permission grants, 
@@ -66,12 +69,14 @@ $userUpnOrId = "[email protected]"
 Connect-MgGraph -Scopes ("User.ReadBasic.All Application.ReadWrite.All " `
                         + "DelegatedPermissionGrant.ReadWrite.All " `
                         + "AppRoleAssignment.ReadWrite.All")
+
 # Step 1. Check if a service principal exists for the client application. 
 #     If one does not exist, create it.
 $clientSp = Get-MgServicePrincipal -Filter "appId eq '$($clientAppId)'"
 if (-not $clientSp) {
    $clientSp = New-MgServicePrincipal -AppId $clientAppId
 }
+
 # Step 2. Create a delegated permission that grants the client app access to the
 #     API, on behalf of the user. (This example assumes that an existing delegated 
 #     permission grant does not already exist, in which case it would be necessary 
@@ -84,6 +89,7 @@ $grant = New-MgOauth2PermissionGrant -ResourceId $resourceSp.Id `
                                      -ClientId $clientSp.Id `
                                      -ConsentType "Principal" `
                                      -PrincipalId $user.Id
+
 # Step 3. Assign the app to the user. This ensures that the user can sign in if assignment
 #     is required, and ensures that the app shows up under the user's My Apps.
 if ($clientSp.AppRoles | ? { $_.AllowedMemberTypes -contains "User" }) {