Skip to content

aad oauth2grant add

Grant the specified service principal OAuth2 permissions to the specified resource

Usage

aad oauth2grant add [options]

Options

Option Description
--help output usage information
-i, --clientId <clientId> objectId of the service principal for which permissions should be granted
-r, --resourceId <resourceId> objectId of the AAD application to which permissions should be granted
-s, --scope <scope> Permissions to grant
-o, --output [output] Output type. json|text. Default text
--verbose Runs command with verbose logging
--debug Runs command with debug logging

Important

Before using this command, log in to Azure Active Directory Graph, using the aad login command.

Remarks

To grant service principal OAuth2 permissions, you have to first log in to Azure Active Directory Graph using the aad login command.

Before you can grant service principal OAuth2 permissions, you need its objectId. You can retrieve it using the aad sp get command.

The resource for which you want to grant permissions is designated using its objectId. You can retrieve it using the aad sp get command, the same way you would retrieve the objectId of the service principal.

When granting OAuth2 permissions, you have to specify which permission scopes you want to grant the service principal. You can get the list of available permission scopes either from the resource documentation or from the appRoles property when retrieving information about the service principal using the aad sp get command. Multiple permission scopes can be specified separated by a space.

When granting OAuth2 permissions, the values of the clientId and resourceId properties form a unique key. If a grant for the same clientId-resourceId pair already exists, running the aad oauth2grant add command will fail with an error. If you want to change permissions on an existing OAuth2 grant use the aad oauth2grant set command instead.

Examples

Grant the service principal d03a0062-1aa6-43e1-8f49-d73e969c5812 the Calendars.Read OAuth2 permissions to the c2af2474-2c95-423a-b0e5-e4895f22f9e9 resource.

aad oauth2grant add --clientId d03a0062-1aa6-43e1-8f49-d73e969c5812 --resourceId c2af2474-2c95-423a-b0e5-e4895f22f9e9 --scope Calendars.Read

Grant the service principal d03a0062-1aa6-43e1-8f49-d73e969c5812 the Calendars.Read and Mail.Read OAuth2 permissions to the c2af2474-2c95-423a-b0e5-e4895f22f9e9 resource.

aad oauth2grant add --clientId d03a0062-1aa6-43e1-8f49-d73e969c5812 --resourceId c2af2474-2c95-423a-b0e5-e4895f22f9e9 --scope "Calendars.Read Mail.Read"

More information