aad approleassignment add¶
Adds service principal permissions also known as scopes and app role assignments for specified Azure AD application registration
aad approleassignment add [options]
||output usage information|
||Application appId also known as clientId of the App Registration to which the configured scopes (app roles) should be applied|
||Application objectId of the App Registration to which the configured scopes (app roles) should be applied|
||Application name of the App Registration to which the configured scopes (app roles) should be applied|
||Service principal name, appId or objectId that has the scopes (roles) ex.
||Permissions known also as scopes and roles to grant the application with. If multiple permissions have to be granted, they have to be comma separated ex.
||JMESPath query string. See http://jmespath.org/ for more information and examples|
||Runs command with verbose logging|
||Runs command with debug logging|
This command requires tenant administrator permissions.
Specify either the
displayName but not both. If you specify more than one option value, the command will fail with an error.
Autocomplete values for the
resource option do not mean allowed values. The autocomplete will just suggest some known names, but that doesn't restrict you to use name of your own custom application or other application within your tenant.
This command can also be used to assign permissions to system or user-assigned managed identity.
Adds SharePoint Sites.Read.All application permissions to Azure AD application with app id 57907bf8-73fa-43a6-89a5-1f603e29e451
aad approleassignment add --appId "57907bf8-73fa-43a6-89a5-1f603e29e451" --resource "SharePoint" --scope "Sites.Read.All"
Adds multiple Microsoft Graph application permissions to an Azure AD application with name MyAppName
aad approleassignment add --displayName "MyAppName" --resource "Microsoft Graph" --scope "Mail.Read,Mail.Send"
Adds Microsoft Graph Mail.Read application permissions to a system managed identity app with objectId 57907bf8-73fa-43a6-89a5-1f603e29e451
aad approleassignment add --objectId "57907bf8-73fa-43a6-89a5-1f603e29e451" --resource "Microsoft Graph" --scope "Mail.Read"
- Microsoft Graph permissions reference: https://docs.microsoft.com/en-us/graph/permissions-reference