Microsoft Graph Required Scopes list ?

Occasional Contributor

Hi All,

 

How and where can I get the PowerShell Graph Required Scopes list?
I need to get the list of all ReadOnly scopes like:

 

'User.Read.All',
'Group.Read.All',
'UserAuthenticationMethod.Read.All'

 

Thanks in advance.

 

Any help would be greatly appreciated.

4 Replies

@SystemEngineer 

 

Microsoft Graph permissions reference - Microsoft Graph | Microsoft Docs

 

There's lots as they are application-specific.

 

You'll likely be interested in the ones you've listed below along with those from "Directory".

 

Cheers,

Lain

@SystemEngineer 

There is also another way to find all the read-only scope if you have Azure AD.
Open Azure AD --> Enterprise Application -- > Consent and Permissions --> Permissions Classifications
Click Add Permission and select Microsoft Graph

In the search, type Read and the list will be filtered to include all the scopes with its Read permissions

 

Maybe there is a faster way to access this list, but this is how I go there.

 

@farismalaeb 

 

If you really want to get funky, just pull it from PowerShell.

 

This is something I do (though not this way) in identity management to dynamically cater to the addition and removal (not that I've actually seen a removal) of app roles when I'm flagging users with privileged rights in key Azure platforms.

 

Anyhow, to keep things simple, this example uses the Get-MgServicePrincipal commandlet against the beta endpoint.

 

Get-MgServicePrincipal (Microsoft.Graph.Applications) | Microsoft Docs

 

(Get-MgServicePrincipal -ServicePrincipalId 0e5cbc2e-764b-4147-8ac8-429decdbb48a -Property AppRoles).AppRoles |
    Where-Object { $_.Value -match "(read)(?!.*write)" } |
        ForEach-Object {
            [PSCustomObject] @{
                Id = $_.Id;
                Name = $_.Value;
                Enabled = $_.IsEnabled;
                DisplayName = $_.DisplayName;
                AppliesTo = $_.AllowedMemberTypes;
            }
        } | Sort-Object -Property Name | Format-Table -AutoSize;

 

Which produces the following output (there's more results than can fit on the screen, so take this as a guide only.)

 

LainRobertson_0-1656410306030.png

 

Clearly, you can fiddle with the "where" clause to your heart's content to include more or reduce it further.

 

Cheers,

Lain

Thanks, Lain for the addition.
having multiple ways of doing a certain task is great, as it helps everyone in the community in finding their preferred approach

Cheers