az ad app permission

Is this page helpful?

Any additional feedback?

Feedback will be sent to Microsoft: By pressing the submit button, your feedback will be used to improve Microsoft products and services. Privacy policy.

Manage an application's OAuth2 permissions.

Commands

az ad app permission add	Add an API permission.
az ad app permission admin-consent	Grant Application & Delegated permissions through admin-consent.
az ad app permission delete	Remove an API permission.
az ad app permission grant	Grant the app an API Delegated permissions.
az ad app permission list	List API permissions the application has requested.
az ad app permission list-grants	List Oauth2 permission grants.

az ad app permission add

Add an API permission.

Invoking "az ad app permission grant" is needed to activate it.

To get available permissions of the resource app, run az ad sp show --id <resource-appId>. For example, to get available permissions for Graph API:

• Azure Active Directory Graph: az ad sp show --id 00000002-0000-0000-c000-000000000000
• Microsoft Graph: az ad sp show --id 00000003-0000-0000-c000-000000000000 Application permissions under the appRoles property correspond to Role in --api-permissions. Delegated permissions under the oauth2Permissions property correspond to Scope in --api-permissions.

az ad app permission add --api
                         --api-permissions
                         --id

Examples

Add Azure Active Directory Graph delegated permission User.Read (Sign in and read user profile).

az ad app permission add --id eeba0b46-78e5-4a1a-a1aa-cafe6c123456 --api 00000002-0000-0000-c000-000000000000 --api-permissions 311a71cc-e848-46a1-bdf8-97ff7156d8e6=Scope

Add Azure Active Directory Graph application permission Application.ReadWrite.All (Read and write all applications).

az ad app permission add --id eeba0b46-78e5-4a1a-a1aa-cafe6c123456 --api 00000002-0000-0000-c000-000000000000 --api-permissions 1cda74f2-2616-4834-b122-5cb1b07f8a59=Role

Required Parameters

--api

Specify RequiredResourceAccess.resourceAppId - The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.

--api-permissions

Specify ResourceAccess.id - The unique identifier for one of the OAuth2Permission or AppRole instances that the resource application exposes. Space-separated list of <resource-access-id>=<type>.

--id

Identifier uri, application id, or object id.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az ad app permission admin-consent

Grant Application & Delegated permissions through admin-consent.

You must login as a global administrator.

az ad app permission admin-consent --id

Examples

Grant Application & Delegated permissions through admin-consent. (autogenerated)

az ad app permission admin-consent --id 00000000-0000-0000-0000-000000000000

Required Parameters

--id

Identifier uri, application id, or object id.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az ad app permission delete

Remove an API permission.

az ad app permission delete --api
                            --id
                            [--api-permissions]

Examples

Remove Azure Active Directory Graph permissions.

az ad app permission delete --id eeba0b46-78e5-4a1a-a1aa-cafe6c123456 --api 00000002-0000-0000-c000-000000000000

Remove Azure Active Directory Graph delegated permission User.Read (Sign in and read user profile).

az ad app permission delete --id eeba0b46-78e5-4a1a-a1aa-cafe6c123456 --api 00000002-0000-0000-c000-000000000000 --api-permissions 311a71cc-e848-46a1-bdf8-97ff7156d8e6

Required Parameters

--api

Specify RequiredResourceAccess.resourceAppId - The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.

--id

Identifier uri, application id, or object id.

Optional Parameters

--api-permissions

Specify ResourceAccess.id - The unique identifier for one of the OAuth2Permission or AppRole instances that the resource application exposes. Space-separated list of <resource-access-id>.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az ad app permission grant

Grant the app an API Delegated permissions.

A service principal must exist for the app when running this command. To create a corresponding service principal, use az ad sp create --id {appId}. For Application permissions, please use "ad app permission admin-consent".

az ad app permission grant --api
                           --id
                           [--consent-type {AllPrincipals, Principal}]
                           [--expires]
                           [--principal-id]
                           [--scope]

Examples

Grant a native application with permissions to access an existing API with TTL of 2 years

az ad app permission grant --id e042ec79-34cd-498f-9d9f-1234234 --api a0322f79-57df-498f-9d9f-12678 --expires 2

Required Parameters

--api

Specify RequiredResourceAccess.resourceAppId - The unique identifier for the resource that the application requires access to. This should be equal to the appId declared on the target resource application.

--id

Identifier uri, application id, or object id.

Optional Parameters

--consent-type

Indicates if consent was provided by the administrator (on behalf of the organization) or by an individual.

accepted values: AllPrincipals, Principal

default value: AllPrincipals

--expires

Expiry date for the permissions in years. e.g. 1, 2 or "never".

default value: 1

--principal-id

If --consent-type is "Principal", this argument specifies the object of the user that granted consent and applies only for that user.

--scope

Specifies the value of the scope claim that the resource application should expect in the OAuth 2.0 access token, e.g. User.Read.

default value: user_impersonation

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az ad app permission list

List API permissions the application has requested.

az ad app permission list --id

Examples

List the OAuth2 permissions for an existing AAD app

az ad app permission list --id e042ec79-34cd-498f-9d9f-1234234

Required Parameters

--id

Identifier uri, application id, or object id of the associated application.

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az ad app permission list-grants

List Oauth2 permission grants.

az ad app permission list-grants [--filter]
                                 [--id]
                                 [--show-resource-name {false, true}]

Examples

list oauth2 permissions granted to the service principal

az ad app permission list-grants --id e042ec79-34cd-498f-9d9f-1234234123456

Optional Parameters

--filter

OData filter, e.g. --filter "displayname eq 'test' and servicePrincipalType eq 'Application'".

--id

Identifier uri, application id, or object id.

--show-resource-name -r

Show resource's display name.

accepted values: false, true

Global Parameters

--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.