MG PowerShell module should have similar permissions like the Graph Explorer

[cnshenj]

This is related to issue #1356. The answer in #1356 is not correct.

I am NOT an admin. I can use endpoints like GET /servicePrincipals or GET /servicePrincipals/{id}/appRoleAssignments in Graph Explorer if I sign in with my own credentials.
If I check the permissions needed for the same operation in MG PowerShell, all the scopes require admin consent.

Find-MgGraphCommand -command Get-MgServicePrincipal | Select -First 1 -ExpandProperty Permissions

Name                       IsAdmin Description                   FullDescription
----                       ------- -----------                   ---------------
Application.Read.All       True    Read applications             Allows the app to read applications and service princ…
Application.ReadWrite.All  True    Read and write applications   Allows the app to create, read, update and delete app…
Directory.AccessAsUser.All True    Access the directory as you   Allows the app to have the same access to information…
Directory.Read.All         True    Read directory data           Allows the app to read data in your organization's di…
Directory.ReadWrite.All    True    Read and write directory data Allows the app to read and write data in your organiz…

The fact that Graph Explorer can use those endpoints proves that the permissions to call the graph API is properly granted. Inspecting the access token obtained by Graph Explorer, I see it has scope: "Directory.ReadWrite.All". The reason is that Graph Explorer has all the proper permissions granted. I can confirm this in Azure Portal:

Note that these are permission for "the app to call Graph API on user's behalf", it's not giving the user the permission they should not have. MG PowerShell must have an app registration of its own - and the app owner (not users) should get proper admin consent, just like Graph Explorer or AzureAD PowerShell,

[peombwa]

@cnshenj, sorry for the delayed response.

From the screenshot, it looks like you are using GE in the MSIT tenant.

Please note that Graph Explorer is pre-consented for the permissions shared above in the MSIT tenant since it is a web app that uses a different authentication model (proxy-based auth). PowerShell on the other hand isn't pre-consented in the tenant because it is a 3p public app with incremental scope consent support. See the response at #684 (comment) for details.

Even with pre-consent, an admin MUST first approve the app for admin permissions before you can use them. So, Directory.ReadWrite.All will still need admin consent before using it as described in the API reference. Customers generally work with their tenant admins to get their apps approved.

The recommendation we've gotten from the ACE team is that internal customers (I assume you are) should create their own appId with the required permissions and go through the ACE admin consent process. Once approved, you can use your app id with the module by invoking Connect-MgGraph -ClientId "Approved_App_Id" -TennantId "Your_Tennant_Id" -DeviceCode. Go to MSW and search for "Admin Consent Program Guidance" for more info on the official admin consent guidance.

AzureAD uses a different authentication module that is not recommended for public apps like ours.

[peombwa]

Duplicate of #684.

[ghost]

This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 4 days. It will be closed if no further activity occurs within 3 days of this comment.