-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathdelegate-user-consent.ps1
More file actions
80 lines (71 loc) · 3.15 KB
/
delegate-user-consent.ps1
File metadata and controls
80 lines (71 loc) · 3.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# Install and import Microsoft Graph module for PowerShell
# Install-Module Microsoft.Graph
# Import-Module Microsoft.Graph
# The App Registration (Service Principal) for which consent is being granted
$clientAppId = "4b64746b-957d-42d7-8fb5-0defe36711f3"
# Power BI Service App ID
$resourceAppId = "00000009-0000-0000-c000-000000000000"
# Service Account UPN
$userUpnOrId = "powerbi-1@m365x51939963.onmicrosoft.com"
# All Power BI Read/Write Permissions
$permissions = @(
"App.Read.All",
"Capacity.Read.All",
"Capacity.ReadWrite.All",
"Content.Create",
"Dashboard.Read.All",
"Dashboard.ReadWrite.All",
"Dataflow.Read.All",
"Dataflow.ReadWrite.All",
"Dataset.Read.All",
"Dataset.ReadWrite.All",
"Gateway.Read.All",
"Gateway.ReadWrite.All",
"Pipeline.Deploy",
"Pipeline.Read.All",
"Pipeline.ReadWrite.All",
"Report.Read.All",
"Report.ReadWrite.All",
"StorageAccount.Read.All",
"StorageAccount.ReadWrite.All",
"Tenant.Read.All",
"Tenant.ReadWrite.All",
"UserState.ReadWrite.All",
"Workspace.Read.All",
"Workspace.ReadWrite.All"
)
# Connect to Microsoft Graph (Admin Permissions Required)
Connect-MgGraph -Scopes ("User.ReadBasic.All Application.ReadWrite.All " `
+ "DelegatedPermissionGrant.ReadWrite.All " `
+ "AppRoleAssignment.ReadWrite.All")
# Retrieve App Registration (Service Principal) from Microsoft Graph
$clientSp = Get-MgServicePrincipal -Filter "appId eq '$($clientAppId)'"
# Create a delegated permission that grants the client app access to the
# API, on behalf of the user. (This example assumes that an existing delegated
# permission grant does not already exist, in which case it would be necessary
# to update the existing grant, rather than create a new one.)
$user = Get-MgUser -UserId $userUpnOrId
$resourceSp = Get-MgServicePrincipal -Filter "appId eq '$($resourceAppId)'"
$scopeToGrant = $permissions -join " "
$grant = New-MgOauth2PermissionGrant -ResourceId $resourceSp.Id `
-Scope $scopeToGrant `
-ClientId $clientSp.Id `
-ConsentType "Principal" `
-PrincipalId $user.Id
# Assign the app to the user. This ensures that the user can sign in if assignment
# is required, and ensures that the app shows up under the user's My Apps.
if ($clientSp.AppRoles | ? { $_.AllowedMemberTypes -contains "User" }) {
Write-Warning ("A default app role assignment cannot be created because the " `
+ "client application exposes user-assignable app roles. You must " `
+ "assign the user a specific app role for the app to be listed " `
+ "in the user's My Apps access panel.")
} else {
# The app role ID 00000000-0000-0000-0000-000000000000 is the default app role
# indicating that the app is assigned to the user, but not for any specific
# app role.
$assignment = New-MgServicePrincipalAppRoleAssignedTo `
-ServicePrincipalId $clientSp.Id `
-ResourceId $clientSp.Id `
-PrincipalId $user.Id `
-AppRoleId "00000000-0000-0000-0000-000000000000"
}