Managing Service Principal Permission Requests using PowerShell

Permission to the “SharePoint Online Client” service principal can be granted either in declarative method within SPFx solutions or directly. This post explores how to handle both declarative and direct permission grants using SPO PowerShell , ClI for M365 and PnP PowerShell.

PnP PowerShell

Get all service principal permission grants

Gets the collection of permission grants for the “SharePoint Online Client” service principal using the cmdlet Get-PnPTenantServicePrincipalPermissionGrants

    Connect-PnPOnline -Url https://contoso-admin.sharepoint.com -Interactive
    Get-PnPTenantServicePrincipalPermissionGrants

Add Microsoft Graph permission explicitly

To explicitly add a permission to the SharePoint Online Entra ID app, such as the Mail.Read Microsoft Graph permission, use the Grant-PnPTenantServicePrincipalPermissionGrant cmdlet:

Grant-PnPTenantServicePrincipalPermissionGrant --Resource 'Microsoft Graph' --Scope 'Mail.Read'

Revoke Permission permission explicitly

Use the Revoke-PnPTenantServicePrincipalPermission to revoke a permission that was previously granted to the “SharePoint Online CLient” service principal.

Revoke-PnPTenantServicePrincipalPermission --ObjectId 50NAzUm3C0K9B6p8ORLtIsQccg4rMERGvFGRtBsk2fA

Get tenant service principal permission requests

Use the Get-PnPTenantServicePrincipalPermissionRequests cmdlet to list, approve, and deny permission requests that were submitted using the declarative approach:

    Get-PnPTenantServicePrincipalPermissionRequests

Approve Tenant Service Principal Permission Request

  Approve-PnPTenantServicePrincipalPermissionRequest --RequestId b4993f61-036d-465b-bc2f-6ef12696c26f

Reject/Deny Tenant Service Principal Permission Request

 Deny-PnPTenantServicePrincipalPermissionRequest --RequestId 4a36e6a4-61df-450c-a914-6c6efdaa2dd0

CLI for M365

Get a list of Service Principal permission grants

    m365 login
    m365 spo serviceprincipal grant list

Add a permission to the SharePoint Online Entra ID app

Add a permission to the SharePoint Online Entra ID app, such as the Mail.Read Microsoft Graph permission, use the grant add command:

  m365 spo serviceprincipal grant add --resource 'Microsoft Graph' --scope 'Mail.Read'

Remove permission with grant remove

Remove the permission using the grant revoke command:

m365 spo serviceprincipal grant list

Note down the id permissions need to be revoked.

m365 spo serviceprincipal grant revoke --id 50NAzUm3C0K9B6p8ORLtIsQccg4rMERGvFGRtBsk2fA

Get all ServicePrincipal permission requests

Use the permissionrequest command to list, approve, and deny permission requests that were submitted using the declarative approach:

 m365 spo serviceprincipal permissionrequest list

Note the ID of the request to approve or reject/deny

Approve serviceprincipal permissionrequest

 m365 spo serviceprincipal permissionrequest approve --id 4dc4c043-25ee-40f2-81d3-b3bf63da7538

Reject serviceprincipal permissionrequest

 m365 spo serviceprincipal permissionrequest deny --id 4dc4c043-25ee-40f2-81d3-b3bf63da7538

SPO PowerShell

To get a list of all the permissions granted to your tenant, use the following command:

    Connect-SPOService -Url https://contoso-admin.sharepoint.com
    Get-SPOTenantServicePrincipalPermissionGrants

Review the response to find the grant you want to remove and get it’s ID

Get-SPOTenantServicePrincipalPermissionGrants

Explicitly add permission to “SharePoint Online Client”

Add a permission to the SharePoint Online Entra ID app, such as the Mail.Read Microsoft Graph permission, using the Approve-SPOTenantServicePrincipalPermissionGrant cmdlet:

 Approve-SPOTenantServicePrincipalPermissionGrant --Resource 'Microsoft Graph' --Scope 'Mail.Read'

Approve-SPOTenantServicePrincipalPermissionGrant

Revoke service principal permission grants

Revokes a permission that was previously granted to the “SharePoint Online Client” service principal.

# list all serviceprincipal permission grants
Get-SPOTenantServicePrincipalPermissionGrants

Review the response to find the grant you want to remove and get it’s ID

Revoke-SPOTenantServicePrincipalPermission --ObjectId 50NAzUm3C0K9B6p8ORLtIsQccg4rMERGvFGRtBsk2fA

Revoke-SPOTenantServicePrincipalPermission

Get Service Principal Permission requests in declarative way

Use the Get-SPOTenantServicePrincipalPermissionRequests cmdlet to list, approve, and deny permission requests that were submitted using the declarative approach:

    Get-SPOTenantServicePrincipalPermissionRequests

Get the ID of the request to approve it…

Approve Request Approves a permission request for the current tenant’s “SharePoint Online Client” service principal

Approve-SPOTenantServicePrincipalPermissionRequest --RequestId 4dc4c043-25ee-40f2-81d3-b3bf63da7538

Deny Request Denies a permission request for the current tenant’s “SharePoint Online Client” service principal.

Deny-SPOTenantServicePrincipalPermissionRequest --RequestId 4dc4c043-25ee-40f2-81d3-b3bf63da7538

References

Beware of Declarative Permissions in SharePoint Framework Projects

• SPFx
• PowerShell
• Permission
• Service Principal
• CLIforM365
• PnP PowerShell
• SPO PowerShell
• Declarative
• Explicit