Efficiently Finding Graph API Permission Guids using PowerShell Script

August 29, 2024 by Leave a comment

I have been writing some tools recently that use Application Authentication to connect to Microsofts Graph API. Part of the tool installation process is that it requests access to the various API permissions, there is a great resource for finding those here: Graph Permissions

The difficulty I found though, was when requesting permissions programmatically, you do not use the familiar name like ‘Sites.Read.All’ instead you use a resource access object which contains some guids.

A resource access object looks like this:

$requiredGrants = New-Object -TypeName System.Collections.Generic.List[Microsoft.Graph.PowerShell.Models.MicrosoftGraphRequiredResourceAccess]
$requiredResourceAccess = New-Object -TypeName Microsoft.Graph.PowerShell.Models.MicrosoftGraphRequiredResourceAccess
$requiredResourceAccess.ResourceAppId = "00000003-0000-0ff1-ce00-000000000000"
$requiredResourceAccess.ResourceAccess += @{ Id = "d13f72ca-a275-4b96-b789-48ebcc4da984"; Type = "Role" } # SharePoint Sites.Read.All
$requiredGrants.Add($requiredResourceAccess)

Then when using New-MgApplication, you can provide $requiredGrants to the -RequiredResourceAccess parameter.

So the question became, ok I know I want to use ‘Sites.Read.All’, or ‘AccessReview.Read.All’ but how do I know what guid that is, or which App Role its under?

Well you can search for them using some other Graph API Commands in PowerShell.

Firstly you need to know which Resource App Id a permission might belong to, the three main ones I have found to search are:

00000003-0000-0000-c000-000000000000Microsoft Graph
00000002-0000-0ff1-ce00-000000000000Exchange Online
00000003-0000-0ff1-ce00-000000000000SharePoint Online

Once you have that, you can iterate through each App Role until you find the Scope you need.

If you are requesting multiple permissions, you can add them to the resource access object, if permissions are split across different Resource Apps, you need to create separate objects, and add each one to the $requiredGrants in turn.

I have wrapped this up into a bit of a mess of a PowerShell script, but it should do the job.

Example of script looking for AccessReview.Read.All permission

You will need to be able to connect to Graph API with the required Scope (Application.Read.All), and then simply run the script to look for your permission!

Note, it can take a few minutes to search for a permission and some permissions return multiple values.

param(
    [Parameter(Mandatory=$true)]
    [string]$permissionName
)
Write-Output "Searching.."
$roleAppIds =  (Get-MgServiceprincipal -All | Where-Object {$_.appRoles -ne ""})
$permissionFound = $false
foreach ($roleAppId in $roleAppIds){
    if(($roleAppid).appRoles.value -contains $permissionName){
        $permissionFound = $true
        $appRole = $roleAppid.appRoles | Where-Object {$_.value -eq $permissionName}
        Write-Output "Permission Found!"
        Write-Output "App Name    : $($roleAppid.displayName)"
        Write-Output "Role App Id : $($roleAppId.appid)"
        Write-Output "Role ID     : $($appRole.id)"
        Write-Output "Scope       : $($appRole.Value)"
        Write-Output "Description : $($appRole.DisplayName)"
    }
}
if(!($permissionFound)){
    Write-Output "Permission Not Found"
}

Filed under General, Graph, PowerShell, Tips & Tricks Tagged with , ,

Unknown's avatarAbout Robert Pearman
Robert Pearman is a UK based IT worker bee. He has been working within the IT Industry for what feels like forever. Robert likes Piña colada and getting caught in the rain, he also enjoys writing about Technology like PowerShell or System Automation but not as much as he used to. If you're in trouble, and you can find him, maybe you can ask him a question.

Leave a reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.