Delegating App Registration Admin Consent permissions in Azure AD (an example for Sites.Selected)

I had posted about this previously… today I wanted to send a bunch of cmdlets to my colleagues to allow admin consenting of the Sites.Selected (both Graph API and SharePoint API) permission to a custom role. Here’s the PowerShell code to do that, based on what I posted previously.

Remove-Module AzureAD -ErrorAction SilentlyContinue
Import-Module AzureADPreview
Connect-AzureAD

# Name of the policy
$newPolicyId = "mytenant-sharepoint-selected-permissions"

# Create the policy
New-AzureADMSPermissionGrantPolicy `
    -Id $newPolicyId `
    -DisplayName "Selected SharePoint permissions" `
    -Description "Allows Admin Consent to selected SharePoint"

# Get the Graph API SPN
$graphSPN = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"

# Get the Id of the Sites.Selected permission of the Graph SPN
$permissionId = ($graphSPN | Select-Object -ExpandProperty AppRoles | Where-Object { $_.Value -eq "Sites.Selected" }).Id

# Add this permission to the role
New-AzureADMSPermissionGrantConditionSet `
    -PolicyId $newPolicyId `
    -ConditionSetType "includes" `
    -PermissionType "application" `
    -ResourceApplication $graphSPN.AppId `
	-Permissions @($permissionId)
	
# Repeat for SharePoint API
$spoSPN = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Office 365 SharePoint Online'"
$permissionId = ($spoSPN | Select-Object -ExpandProperty AppRoles | Where-Object { $_.Value -eq "Sites.Selected" }).Id
New-AzureADMSPermissionGrantConditionSet `
    -PolicyId $newPolicyId `
    -ConditionSetType "includes" `
    -PermissionType "application" `
	-ResourceApplication $spoSPN.AppId `
	-Permissions @($permissionId)

# Create the custom role
$displayName = "Application administrator (SharePoint)"
$description = "Can manage more aspects of application registrations."
$templateId = (New-Guid).Guid
 
# Set of permissions to grant
$allowedResourceAction =
@(
    "microsoft.directory/applications/create",
    "microsoft.directory/servicePrincipals/allProperties/read",
    "microsoft.directory/servicePrincipals/create",
    "microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.$newPolicyId",
    "microsoft.directory/servicePrincipals/managePermissionGrantsForAll.$newPolicyId"
)
$rolePermissions = @{'allowedResourceActions'= $allowedResourceAction}

# Create the custom role
$customAdmin = New-AzureADMSRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -Description $description -TemplateId $templateId -IsEnabled $true

Since the previous post I’ve fumbled my way to being more knowledgeable about Azure AD so there’s some minor differences in the code to what I posted then. Less hard-coding of ids etc. That post still has all the background info on what I am doing above so be sure to read that if the above makes no sense.