az ad app permission

Manage an application's OAuth2 permissions.

Commands

az ad app permission add

Add an API permission.

az ad app permission admin-consent

Grant Application & Delegated permissions through admin-consent.

az ad app permission delete

Remove an API permission.

az ad app permission grant

Grant the app an API Delegated permissions.

az ad app permission list

List API permissions the application has requested.

az ad app permission list-grants

List Oauth2 permission grants.

az ad app permission add

Add an API permission.

Invoking "az ad app permission grant" is needed to activate it.

az ad app permission add --api
                         --api-permissions
                         --id

Examples

Add Azure Active Directory Graph delegated permission User.Read (Sign in and read user profile).

az ad app permission add --id eeba0b46-78e5-4a1a-a1aa-cafe6c123456 --api 00000002-0000-0000-c000-000000000000 --api-permissions 311a71cc-e848-46a1-bdf8-97ff7156d8e6=Scope

Add Azure Active Directory Graph application permission Application.ReadWrite.All (Read and write all applications).

az ad app permission add --id eeba0b46-78e5-4a1a-a1aa-cafe6c123456 --api 00000002-0000-0000-c000-000000000000 --api-permissions 1cda74f2-2616-4834-b122-5cb1b07f8a59=Role

Required Parameters

--api

Specify RequiredResourceAccess.resourceAppId - The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.

--api-permissions

Specify ResourceAccess.id - The unique identifier for one of the OAuth2Permission or AppRole instances that the resource application exposes. Space-separated list of <resource-access-id>=<type>.

--id

Identifier uri, application id, or object id.

Grant Application & Delegated permissions through admin-consent.

You must login as a directory administrator.

az ad app permission admin-consent --id

Grant Application & Delegated permissions through admin-consent. (autogenerated)

az ad app permission admin-consent --id 00000000-0000-0000-0000-000000000000
--id

Identifier uri, application id, or object id.

az ad app permission delete

Remove an API permission.

az ad app permission delete --api
                            --id
                            [--api-permissions]

Examples

Remove Azure Active Directory Graph permissions.

az ad app permission delete --id eeba0b46-78e5-4a1a-a1aa-cafe6c123456 --api 00000002-0000-0000-c000-000000000000

Remove Azure Active Directory Graph delegated permission User.Read (Sign in and read user profile).

az ad app permission delete --id eeba0b46-78e5-4a1a-a1aa-cafe6c123456 --api 00000002-0000-0000-c000-000000000000 --api-permissions 311a71cc-e848-46a1-bdf8-97ff7156d8e6

Required Parameters

--api

Specify RequiredResourceAccess.resourceAppId - The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.

--id

Identifier uri, application id, or object id.

Optional Parameters

--api-permissions

Specify ResourceAccess.id - The unique identifier for one of the OAuth2Permission or AppRole instances that the resource application exposes. Space-separated list of <resource-access-id>.

az ad app permission grant

Grant the app an API Delegated permissions.

A service principal must exist for the app when running this command. To create a corresponding service principal, use az ad sp create --id {appId}. For Application permissions, please use "ad app permission admin-consent".

az ad app permission grant --api
                           --id
                           [--consent-type {AllPrincipals, Principal}]
                           [--expires]
                           [--principal-id]
                           [--scope]

Examples

Grant a native application with permissions to access an existing API with TTL of 2 years

az ad app permission grant --id e042ec79-34cd-498f-9d9f-1234234 --api a0322f79-57df-498f-9d9f-12678 --expires 2

Required Parameters

--api

Specify RequiredResourceAccess.resourceAppId - The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.

--id

Identifier uri, application id, or object id.

Optional Parameters

--consent-type

Indicates if consent was provided by the administrator (on behalf of the organization) or by an individual.

accepted values: AllPrincipals, Principal
default value: AllPrincipals
--expires

Expiry date for the permissions in years. e.g. 1, 2 or "never".

default value: 1
--principal-id

If --consent-type is "Principal", this argument specifies the object of the user that granted consent and applies only for that user.

--scope

Specifies the value of the scope claim that the resource application should expect in the OAuth 2.0 access token, e.g. User.Read.

default value: user_impersonation

az ad app permission list

List API permissions the application has requested.

az ad app permission list --id
                          [--query-examples]

Examples

List the OAuth2 permissions for an existing AAD app

az ad app permission list --id e042ec79-34cd-498f-9d9f-1234234

Required Parameters

--id

Identifier uri, application id, or object id of the associated application.

Optional Parameters

--query-examples

Recommend JMESPath string for you. You can copy one of the query and paste it after --query parameter within double quotation marks to see the results. You can add one or more positional keywords so that we can give suggestions based on these key words.

az ad app permission list-grants

List Oauth2 permission grants.

az ad app permission list-grants [--filter]
                                 [--id]
                                 [--show-resource-name {false, true}]

Examples

list oauth2 permissions granted to the service principal

az ad app permission list-grants --id e042ec79-34cd-498f-9d9f-1234234123456

Optional Parameters

--filter

OData filter, e.g. --filter "displayname eq 'test' and servicePrincipalType eq 'Application'".

--id

Identifier uri, application id, or object id.

--show-resource-name -r

Show resource's display name.

accepted values: false, true