Managing Service Principal Permission Requests using PowerShell
Managing Service Principal Permission Requests using PowerShell
Permission to the “SharePoint Online Client” service principal can be granted either in declarative method within SPFx solutions or directly. This post explores how to handle both declarative and direct permission grants using SPO PowerShell , ClI for M365 and PnP PowerShell.
PnP PowerShell
Get all service principal permission grants
Gets the collection of permission grants for the “SharePoint Online Client” service principal using the cmdlet Get-PnPTenantServicePrincipalPermissionGrants
Connect-PnPOnline -Url https://contoso-admin.sharepoint.com -Interactive
Get-PnPTenantServicePrincipalPermissionGrants
Add Microsoft Graph permission explicitly
To explicitly add a permission to the SharePoint Online Entra ID app, such as the Mail.Read Microsoft Graph permission, use the Grant-PnPTenantServicePrincipalPermissionGrant cmdlet:
Grant-PnPTenantServicePrincipalPermissionGrant --Resource 'Microsoft Graph' --Scope 'Mail.Read'
Revoke Permission permission explicitly
Use the Revoke-PnPTenantServicePrincipalPermission to revoke a permission that was previously granted to the “SharePoint Online CLient” service principal.
Revoke-PnPTenantServicePrincipalPermission --ObjectId 50NAzUm3C0K9B6p8ORLtIsQccg4rMERGvFGRtBsk2fA
Get tenant service principal permission requests
Use the Get-PnPTenantServicePrincipalPermissionRequests cmdlet to list, approve, and deny permission requests that were submitted using the declarative approach:
Get-PnPTenantServicePrincipalPermissionRequests
Approve Tenant Service Principal Permission Request
Approve-PnPTenantServicePrincipalPermissionRequest --RequestId b4993f61-036d-465b-bc2f-6ef12696c26f
Reject/Deny Tenant Service Principal Permission Request
Deny-PnPTenantServicePrincipalPermissionRequest --RequestId 4a36e6a4-61df-450c-a914-6c6efdaa2dd0
CLI for M365
Get a list of Service Principal permission grants
m365 login
m365 spo serviceprincipal grant list
Add a permission to the SharePoint Online Entra ID app
Add a permission to the SharePoint Online Entra ID app, such as the Mail.Read Microsoft Graph permission, use the grant add command:
m365 spo serviceprincipal grant add --resource 'Microsoft Graph' --scope 'Mail.Read'
Remove permission with grant remove
Remove the permission using the grant revoke command:
m365 spo serviceprincipal grant list
Note down the id permissions need to be revoked.
m365 spo serviceprincipal grant revoke --id 50NAzUm3C0K9B6p8ORLtIsQccg4rMERGvFGRtBsk2fA
Get all ServicePrincipal permission requests
Use the permissionrequest command to list, approve, and deny permission requests that were submitted using the declarative approach:
m365 spo serviceprincipal permissionrequest list
Note the ID of the request to approve or reject/deny
Approve serviceprincipal permissionrequest
m365 spo serviceprincipal permissionrequest approve --id 4dc4c043-25ee-40f2-81d3-b3bf63da7538
Reject serviceprincipal permissionrequest
m365 spo serviceprincipal permissionrequest deny --id 4dc4c043-25ee-40f2-81d3-b3bf63da7538
SPO PowerShell
To get a list of all the permissions granted to your tenant, use the following command:
Connect-SPOService -Url https://contoso-admin.sharepoint.com
Get-SPOTenantServicePrincipalPermissionGrants
Review the response to find the grant you want to remove and get it’s ID
Get-SPOTenantServicePrincipalPermissionGrants
Explicitly add permission to “SharePoint Online Client”
Add a permission to the SharePoint Online Entra ID app, such as the Mail.Read Microsoft Graph permission, using the Approve-SPOTenantServicePrincipalPermissionGrant cmdlet:
Approve-SPOTenantServicePrincipalPermissionGrant --Resource 'Microsoft Graph' --Scope 'Mail.Read'
Approve-SPOTenantServicePrincipalPermissionGrant
Revoke service principal permission grants
Revokes a permission that was previously granted to the “SharePoint Online Client” service principal.
# list all serviceprincipal permission grants
Get-SPOTenantServicePrincipalPermissionGrants
Review the response to find the grant you want to remove and get it’s ID
Revoke-SPOTenantServicePrincipalPermission --ObjectId 50NAzUm3C0K9B6p8ORLtIsQccg4rMERGvFGRtBsk2fA
Revoke-SPOTenantServicePrincipalPermission
Get Service Principal Permission requests in declarative way
Use the Get-SPOTenantServicePrincipalPermissionRequests cmdlet to list, approve, and deny permission requests that were submitted using the declarative approach:
Get-SPOTenantServicePrincipalPermissionRequests
Get the ID of the request to approve it…
Approve Request Approves a permission request for the current tenant’s “SharePoint Online Client” service principal
Approve-SPOTenantServicePrincipalPermissionRequest --RequestId 4dc4c043-25ee-40f2-81d3-b3bf63da7538
Deny Request Denies a permission request for the current tenant’s “SharePoint Online Client” service principal.
Deny-SPOTenantServicePrincipalPermissionRequest --RequestId 4dc4c043-25ee-40f2-81d3-b3bf63da7538
References
Beware of Declarative Permissions in SharePoint Framework Projects