Skip to content

spo serviceprincipal grant add

Grants the service principal permission to the specified API


m365 spo serviceprincipal grant add [options]


m365 spo sp grant add


-r, --resource <resource>
The name of the resource for which permissions should be granted.
-s, --scope <scope>
The name of the permission that should be granted.
-h, --help [help]
Output usage information. Optionally, specify which section of command's help you want to see. Allowed values are options, examples, remarks, response, full. Default is full.
--query [query]
JMESPath query string. See for more information and examples
-o, --output [output]
Output type. json,text,csv,md. Default json
Runs command with verbose logging
Runs command with debug logging



To use this command you must be a Global administrator.


Grant the service principal permission to read email using the Microsoft Graph

m365 spo serviceprincipal grant add --resource 'Microsoft Graph' --scope 'Mail.Read'

Grant the service principal permission to a custom API

m365 spo serviceprincipal grant add --resource 'contoso-api' --scope 'user_impersonation'


  "ClientId": "6004a642-185c-479a-992a-15d1c23e2229",
  "ConsentType": "AllPrincipals",
  "IsDomainIsolated": false,
  "ObjectId": "QqYEYFwYmkeZKhXRwj4iKRcAa6TiIbFNvGnKY1dqONY",
  "PackageName": null,
  "Resource": "Microsoft Graph",
  "ResourceId": "a46b0017-21e2-4db1-bc69-ca63576a38d6",
  "Scope": "Mail.Read"
ClientId        : 6004a642-185c-479a-992a-15d1c23e2229
ConsentType     : AllPrincipals
IsDomainIsolated: false
ObjectId        : QqYEYFwYmkeZKhXRwj4iKRcAa6TiIbFNvGnKY1dqONY
PackageName     : null
Resource        : Microsoft Graph
ResourceId      : a46b0017-21e2-4db1-bc69-ca63576a38d6
Scope           : Mail.Read
6004a642-185c-479a-992a-15d1c23e2229,AllPrincipals,,QqYEYFwYmkeZKhXRwj4iKRcAa6TiIbFNvGnKY1dqONY,,Microsoft Graph,a46b0017-21e2-4db1-bc69-ca63576a38d6,Mail.Read