entra approleassignment add
Adds service principal permissions also known as scopes and app role assignments for specified Microsoft Entra application registration
Usage
m365 entra approleassignment add [options]
Options
--appId [appId]Application appId also known as clientId of the App Registration to which the configured scopes (app roles) should be applied.
--appObjectId [appObjectId]Application objectId of the App Registration to which the configured scopes (app roles) should be applied.
--appDisplayName [appDisplayName]Application name of the App Registration to which the configured scopes (app roles) should be applied.
-r, --resource <resource>Service principal name, appId or objectId that has the scopes (roles) e.g.
SharePoint.-s, --scopes <scopes>Permissions known also as scopes and roles to grant the application with. If multiple permissions have to be granted, they have to be comma-separated e.g.
Sites.Read.All,Sites.ReadWrite.all.
-h, --help [help]Output usage information. Optionally, specify which section of command's help you want to see. Allowed values are
options,examples,remarks,response,full. Default isoptions.--query [query]JMESPath query string. See http://jmespath.org/ for more information and examples.
-o, --output [output]Output type.
json,text,csv,md,none. Defaultjson.--verboseRuns command with verbose logging.
--debugRuns command with debug logging.
Remarks
This command requires tenant administrator permissions.
Specify either the appId, appObjectId or appDisplayName but not multiple. If you specify more than one option value, the command will fail with an error.
Autocomplete values for the resource option do not mean allowed values. The autocomplete will just suggest some known names, but that doesn't restrict you to use the name of your own custom application or other application within your tenant.
This command can also be used to assign permissions to system or user-assigned managed identity.
Examples
Adds SharePoint Sites.Read.All application permissions to Entra application with app id 57907bf8-73fa-43a6-89a5-1f603e29e451
m365 entra approleassignment add --appId "57907bf8-73fa-43a6-89a5-1f603e29e451" --resource "SharePoint" --scopes "Sites.Read.All"
Adds multiple Microsoft Graph application permissions to an Entra application with the name MyAppName_
m365 entra approleassignment add --appDisplayName "MyAppName" --resource "Microsoft Graph" --scopes "Mail.Read,Mail.Send"
Adds Microsoft Graph Mail.Read application permissions to a system-managed identity app with objectId 57907bf8-73fa-43a6-89a5-1f603e29e451
m365 entra approleassignment add --appObjectId "57907bf8-73fa-43a6-89a5-1f603e29e451" --resource "Microsoft Graph" --scopes "Mail.Read"
Response
- JSON
- Text
- CSV
- Markdown
[
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('6c519c5d-829a-47f9-9d5c-fd564ce103bd')/appRoleAssignments/$entity",
"id": "XZxRbJqC-UedXP1WTOEDvZ09aHLQDvVMkhUbT02pPp4",
"deletedDateTime": null,
"appRoleId": "d13f72ca-a275-4b96-b789-48ebcc4da984",
"createdDateTime": "2023-06-01T19:00:20.8353382Z",
"principalDisplayName": "QuillBot",
"principalId": "6c519c5d-829a-47f9-9d5c-fd564ce103bd",
"principalType": "ServicePrincipal",
"resourceDisplayName": "Office 365 SharePoint Online",
"resourceId": "eafaa868-bc8f-43ac-a882-b65a62a668fd"
}
]
objectId : XZxRbJqC-UedXP1WTOEDvVMwQLIAP8hMvuwGaXMPtnU
principalDisplayName: QuillBot
resourceDisplayName : Microsoft Graph
objectId,principalDisplayName,resourceDisplayName
XZxRbJqC-UedXP1WTOEDvQXFZlURrFFAtQb0mvJV_Q8,QuillBot,Microsoft Graph
# entra approleassignment add --appId "e89804ac-a571-48cf-b2ba-fd57b5d49993" --resource "Microsoft Graph" --scopes "Mail.Read"
Date: 2023-06-01
## XZxRbJqC-UedXP1WTOEDvcoGqG8eRNlBmAqkiGbkNuk
Property | Value
---------|-------
objectId | XZxRbJqC-UedXP1WTOEDvcoGqG8eRNlBmAqkiGbkNuk
principalDisplayName | QuillBot
resourceDisplayName | Microsoft Graph
More information
- Microsoft Graph permissions reference: https://learn.microsoft.com/graph/permissions-reference