Für unser Glück & Kanja Lifecycle Tool setze ich im Schwerpunkt auf Microsoft Graph Calls. Für ein sauberes Setup habe ich mittlerweile ein Script. Es nutzt die PowerShell AZ und die Azure CLI. Besonders beim Erstellen einer Azure AD App (genauer Berechtigen und Granten) ist die Azure CLI noch ein Stück besser bzw. umfangreicher als die AZ PowerShell.
Die Lifecycle App arbeitet mit AD Settings und Groups. Erweiterte Funktionen setzen auf Access Reviews Feature aus dem AAD P2 Lizenzset. Diese Graph Berechtigungen setze ich direkt per CLI Script:
az ad app permission add --id $adapp.ApplicationId --api 00000003-0000-0000-c000-000000000000 --api-permissions 19dbc75e-c2e2-444c-a770-ec69d8559fc7=Role #msgraph Directory.ReadWrite.All
az ad app permission add --id $adapp.ApplicationId --api 00000003-0000-0000-c000-000000000000 --api-permissions 62a82d76-70ea-41e2-9197-370581804d09=Role #msgraph Group.ReadWrite.All
az ad app permission add --id $adapp.ApplicationId --api 00000003-0000-0000-c000-000000000000 --api-permissions ef5f7d5c-338f-44b0-86c3-351f46c8bb5f=Role #msgraph AccessReview.ReadWrite.All
az ad app permission add --id $adapp.ApplicationId --api 00000003-0000-0000-c000-000000000000 --api-permissions 60a901ed-09f7-4aa5-a16e-7dd3d6f9de36=Role #msgraph ProgramControl.ReadWrite.All
Die Azure CLI kann dann auch gleich noch den Admin Grant erledigen (wenn man nicht in der Azure Cloud Shell läuft!):
az ad app permission admin-consent --id $adapp.ApplicationId
Hier ein Beispiel, wie das Ergebnis dann im Azure AD Portal aussieht:
Wer nun die Guid für seine Berechtigung sucht, kann ganz einfach mit diesem Befehlt (Azure Active Directory PowerShell 2.0) auf das ständig wachsende Set an App Permissions zugreifen:
(Get-AzureADServicePrincipal -filter "DisplayName eq 'Microsoft Graph'").AppRoles | Select Id, Value | Sort Value
Id Value
-- -----
d07a8cc0-3d51-4b77-b3b0-32704d1f69fa AccessReview.Read.All
ef5f7d5c-338f-44b0-86c3-351f46c8bb5f AccessReview.ReadWrite.All
18228521-a591-40f1-b215-5fad4488c117 AccessReview.ReadWrite.Membership
134fd756-38ce-4afd-ba33-e9623dbe66c2 AdministrativeUnit.Read.All
5eb59dd3-1da2-4329-8733-9dabdc435916 AdministrativeUnit.ReadWrite.All
1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9 Application.ReadWrite.All
18a4783c-866b-4cc7-a460-3d5e5662c884 Application.ReadWrite.OwnedBy
b0afded3-3588-46d8-8b3d-9842eff778da AuditLog.Read.All
798ee544-9d2d-430c-a058-570e29e34338 Calendars.Read
ef54d2bf-783f-4e0f-bca1-3210c0444d99 Calendars.ReadWrite
a7a681dc-756e-4909-b988-f160edc6655f Calls.AccessMedia.All
284383ee-7f6e-4e40-a2a8-e85dcb029101 Calls.Initiate.All
4c277553-8a09-487b-8023-29ee378d8324 Calls.InitiateGroupCall.All
f6b49018-60ab-4f81-83bd-22caeabfed2d Calls.JoinGroupCall.All
fd7ccf6b-3d28-418b-9701-cd10f5cd2fd4 Calls.JoinGroupCallAsGuest.All
7b2449af-6ccd-4f4d-9f78-e550c193f0d1 ChannelMessage.Read.All
4d02b0cc-d90b-441f-8d82-4fb55c34d6bb ChannelMessage.UpdatePolicyViolation.All
6b7d71aa-70aa-4810-a8d9-5d9fb2830017 Chat.Read.All
294ce7c9-31ba-490a-ad7d-97a7d075e4ed Chat.ReadWrite.All
7e847308-e030-4183-9899-5235d7270f58 Chat.UpdatePolicyViolation.All
089fe4d0-434a-44c5-8827-41ba8a0b17f5 Contacts.Read
6918b873-d17a-4dc1-b314-35f528134491 Contacts.ReadWrite
1138cb37-bd11-4084-a2b7-9f71582aeddb Device.ReadWrite.All
7a6ee1e7-141e-4cec-ae74-d9db155731ff DeviceManagementApps.Read.All
dc377aa6-52d8-4e23-b271-2a7ae04cedf3 DeviceManagementConfiguration.Read.All
2f51be20-0bb4-4fed-bf7b-db946066c75e DeviceManagementManagedDevices.Read.All
58ca0d9a-1575-47e1-a3cb-007ef2e4583b DeviceManagementRBAC.Read.All
06a5fe6d-c49d-46a7-b082-56b1b14103c7 DeviceManagementServiceConfig.Read.All
7ab1d382-f21e-4acd-a863-ba3e13f7da61 Directory.Read.All
19dbc75e-c2e2-444c-a770-ec69d8559fc7 Directory.ReadWrite.All
7e05723c-0bb0-42da-be95-ae9f08a6e53c Domain.ReadWrite.All
7c9db06a-ec2d-4e7b-a592-5a1e30992566 EduAdministration.Read.All
9bc431c3-b8bc-4a8d-a219-40f10f92eff6 EduAdministration.ReadWrite.All
4c37e1b6-35a1-43bf-926a-6f30f2cdf585 EduAssignments.Read.All
6e0a958b-b7fc-4348-b7c4-a6ab9fd3dd0e EduAssignments.ReadBasic.All
0d22204b-6cad-4dd0-8362-3e3f2ae699d9 EduAssignments.ReadWrite.All
f431cc63-a2de-48c4-8054-a34bc093af84 EduAssignments.ReadWriteBasic.All
e0ac9e1b-cb65-4fc5-87c5-1a8bc181f648 EduRoster.Read.All
0d412a8c-a06c-439f-b3ec-8abcf54d2f96 EduRoster.ReadBasic.All
d1808e82-ce13-47af-ae0d-f9b254e6d58a EduRoster.ReadWrite.All
38c3d6ee-69ee-422f-b954-e17819665354 ExternalItem.ReadWrite.All
01d4889c-1287-42c6-ac1f-5d1e02578ef6 Files.Read.All
75359482-378d-4052-8f01-80520e7db3cd Files.ReadWrite.All
5b567255-7703-4780-807c-7be8301ae99b Group.Read.All
62a82d76-70ea-41e2-9197-370581804d09 Group.ReadWrite.All
e321f0bb-e7f7-481e-bb28-e3b0b32d4bd0 IdentityProvider.Read.All
90db2b9a-d928-4d33-a4dd-8442ae3d41e4 IdentityProvider.ReadWrite.All
6e472fd1-ad78-48da-a0f0-97ab2c6b769e IdentityRiskEvent.Read.All
db06fb33-1953-4b7b-a2ac-f1e2c854f7ae IdentityRiskEvent.ReadWrite.All
dc5007c0-2d7d-4c42-879c-2dab87571379 IdentityRiskyUser.Read.All
656f6061-f9fe-4807-9708-6a2e0934df76 IdentityRiskyUser.ReadWrite.All
19da66cb-0fb0-4390-b071-ebc76a349482 InformationProtectionPolicy.Read.All
810c84a8-4a9e-49e6-bf7d-12d183f40d01 Mail.Read
e2a3a72e-5f79-4c64-b1b1-878b674786c9 Mail.ReadWrite
b633e1c5-b582-4048-a93e-9f11b44c7e96 Mail.Send
40f97065-369a-49f4-947c-6a255697ae91 MailboxSettings.Read
6931bccd-447a-43d1-b442-00a195474933 MailboxSettings.ReadWrite
658aa5d8-239f-45c4-aa12-864f4fc7e490 Member.Read.Hidden
3aeca27b-ee3a-4c2b-8ded-80376e2134a4 Notes.Read.All
0c458cef-11f3-48c2-a568-c66751c238c0 Notes.ReadWrite.All
c1684f21-1984-47fa-9d61-2dc8c296bb70 OnlineMeetings.Read.All
b8bb2037-6e08-44ac-a4ea-4674e010e2a4 OnlineMeetings.ReadWrite.All
0b57845e-aa49-4e6f-8109-ce654fffa618 OnPremisesPublishingProfiles.ReadWrite.All
b528084d-ad10-4598-8b93-929746b4d7d6 People.Read.All
246dd0d5-5bd0-4def-940b-0421030a5b68 Policy.Read.All
79a677f7-b79d-40d0-a36a-3e6f8688dd7a Policy.ReadWrite.TrustFramework
eedb7fdd-7539-4345-a38b-4839e4a84cbd ProgramControl.Read.All
60a901ed-09f7-4aa5-a16e-7dd3d6f9de36 ProgramControl.ReadWrite.All
230c1aed-a721-4c5d-9cb4-a90514e508ef Reports.Read.All
5e0edab9-c148-49d0-b423-ac253e121825 SecurityActions.Read.All
f2bf083f-0179-402a-bedb-b2784de8a49b SecurityActions.ReadWrite.All
bf394140-e372-4bf9-a898-299cfc7564e5 SecurityEvents.Read.All
d903a879-88e0-4c09-b0c9-82f6a1333f84 SecurityEvents.ReadWrite.All
a82116e5-55eb-4c41-a434-62fe8a61c773 Sites.FullControl.All
0c0bf378-bf22-4481-8f81-9e89a9b4960a Sites.Manage.All
332a536c-c7ef-4017-ab91-336970924f0d Sites.Read.All
9492366f-7969-46a4-8d15-ed1a20078fff Sites.ReadWrite.All
21792b6c-c986-4ffc-85de-df9da54b52fa ThreatIndicators.ReadWrite.OwnedBy
fff194f1-7dce-4428-8301-1badb5518201 TrustFrameworkKeySet.Read.All
4a771c9a-1cf2-4609-b88e-3d3e02d539cd TrustFrameworkKeySet.ReadWrite.All
405a51b5-8d8d-430b-9842-8be4b0e9f324 User.Export.All
09850681-111b-4a89-9bed-3f2cae46d706 User.Invite.All
df021288-bdef-4463-88db-98f22de89214 User.Read.All
741f803b-c850-494e-b5df-cde7c675a1ca User.ReadWrite.All