entra oauth2grant add
Grant the specified service principal OAuth2 permissions to the specified resource
Usage
m365 entra oauth2grant add [options]
Alias
m365 aad oauth2grant add [options]
Options
-i, --clientId <clientId>objectIdof the service principal for which permissions should be granted-r, --resourceId <resourceId>objectIdof the Entra application to which permissions should be granted-s, --scope <scope>Permissions to grant
-h, --help [help]Output usage information. Optionally, specify which section of command's help you want to see. Allowed values are
options,examples,remarks,response,full. Default isoptions.--query [query]JMESPath query string. See http://jmespath.org/ for more information and examples.
-o, --output [output]Output type.
json,text,csv,md,none. Defaultjson.--verboseRuns command with verbose logging.
--debugRuns command with debug logging.
Remarks
Before you can grant service principal OAuth2 permissions, you need its objectId. You can retrieve it using the entra enterpriseapp get command.
The resource for which you want to grant permissions is designated using its objectId. You can retrieve it using the entra enterpriseapp get command, the same way you would retrieve the objectId of the service principal.
When granting OAuth2 permissions, you have to specify which permission scopes you want to grant the service principal. You can get the list of available permission scopes either from the resource documentation or from the appRoles property when retrieving information about the service principal using the entra enterpriseapp get command. Multiple permission scopes can be specified separated by a space.
When granting OAuth2 permissions, the values of the clientId and resourceId properties form a unique key. If a grant for the same clientId-resourceId pair already exists, running the entra oauth2grant add command will fail with an error. If you want to change permissions on an existing OAuth2 grant use the entra oauth2grant set command instead.
Examples
Grant the service principal d03a0062-1aa6-43e1-8f49-d73e969c5812 the Calendars.Read OAuth2 permissions to the c2af2474-2c95-423a-b0e5-e4895f22f9e9 resource.
m365 entra oauth2grant add --clientId d03a0062-1aa6-43e1-8f49-d73e969c5812 --resourceId c2af2474-2c95-423a-b0e5-e4895f22f9e9 --scope Calendars.Read
Grant the service principal d03a0062-1aa6-43e1-8f49-d73e969c5812 the Calendars.Read and Mail.Read OAuth2 permissions to the c2af2474-2c95-423a-b0e5-e4895f22f9e9 resource.
m365 entra oauth2grant add --clientId d03a0062-1aa6-43e1-8f49-d73e969c5812 --resourceId c2af2474-2c95-423a-b0e5-e4895f22f9e9 --scope "Calendars.Read Mail.Read"
Response
The command won't return a response on success.
More information
- Application and service principal objects in Microsoft Entra ID: https://learn.microsoft.com/azure/active-directory/develop/active-directory-application-objects