AADPermissionGrantPolicy¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Id | Key | String | The unique identifier for the permission grant policy. | |
| DisplayName | Write | String | The display name for the permission grant policy. | |
| Description | Write | String | The description for the permission grant policy. | |
| Includes | Write | MSFT_AADPermissionGrantConditionSet[] | Condition sets which are included in this permission grant policy. Automatically constructed as part of the permission grant policy. | |
| Excludes | Write | MSFT_AADPermissionGrantConditionSet[] | Condition sets which are excluded in this permission grant policy. Automatically constructed as part of the permission grant policy. | |
| Ensure | Write | String | Specify if the policy should exist. | Present, Absent |
| Credential | Write | PSCredential | Credentials for the Microsoft Graph delegated permissions. | |
| ApplicationId | Write | String | Id of the Entra ID application to authenticate with. | |
| TenantId | Write | String | Id of the Entra ID tenant used for authentication. | |
| ApplicationSecret | Write | PSCredential | Secret of the Entra ID application to authenticate with. | |
| CertificateThumbprint | Write | String | Thumbprint of the Entra ID application's authentication certificate to use for authentication. | |
| ManagedIdentity | Write | Boolean | Managed ID being used for authentication. | |
| AccessTokens | Write | StringArray[] | Access token used for authentication. |
Embedded Instances¶
MSFT_AADPermissionGrantConditionSet¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| Id | Write | String | The unique identifier for the condition set. | |
| CertifiedClientApplicationsOnly | Write | Boolean | Set to true to only match on client applications that are from a Microsoft Partner Network verified publisher. Set to false to match on any client app. | |
| ClientApplicationIds | Write | StringArray[] | A list of appId values for the client applications to match with, or a list with the single value all to match any client application. | |
| ClientApplicationPublisherIds | Write | StringArray[] | A list of Microsoft Partner Network (MPN) IDs for verified publishers of the client application, or a list with the single value all to match with client apps from any publisher. | |
| ClientApplicationTenantIds | Write | StringArray[] | A list of Entra ID tenant IDs in which the client application is registered, or a list with the single value all to match with client apps registered in any tenant. | |
| ClientApplicationsFromVerifiedPublisherOnly | Write | Boolean | Set to true to only match on client applications with a verified publisher. Set to false to match on any client app. Default is false. | |
| PermissionClassification | Write | String | The permission classification for the permission being granted, or all to match with any permission classification (including permissions which are not classified). Default is all. | |
| Permissions | Write | StringArray[] | The list of permission display names to match with (e.g. 'User.Read', 'Mail.Send'), or a list with the single value all to match with any permission. Do not use permission GUIDs. | |
| PermissionType | Write | String | The permission type of the permission being granted. Possible values: application for application permissions, or delegated for delegated permissions. | |
| ResourceApplication | Write | String | The appId of the resource application (e.g. '00000003-0000-0000-c000-000000000000' for Microsoft Graph) for which a permission is being granted, or 'any' to match any resource application. Use the AppId GUID, not the display name. |
Description¶
This resource configures an Entra Permission Grant Policy with its associated include and exclude condition sets.
Permission Grant Policies allow organizations to delegate admin consent capabilities for specific Microsoft Graph permissions to non-Global Administrator users and groups.
This resource combines the parent policy and its condition sets into a single configuration, managing: - The parent permission grant policy properties (Id, DisplayName, Description) - Include condition sets as an embedded CIM instance array - Exclude condition sets as an embedded CIM instance array
Example¶
AADPermissionGrantPolicy 'CustomConsentPolicy'
{
Id = "my-custom-consent-policy"
DisplayName = "My Custom Consent Policy"
Description = "Custom policy for app consent with specific conditions"
Includes = @(
MSFT_AADPermissionGrantConditionSet {
Id = "include-low-risk-delegated"
PermissionType = "delegated"
PermissionClassification = "low"
ClientApplicationIds = @("all")
ClientApplicationTenantIds = @($TenantId)
ClientApplicationPublisherIds = @("all")
ClientApplicationsFromVerifiedPublisherOnly = $false
ResourceApplication = "00000003-0000-0000-c000-000000000000"
Permissions = @("User.Read", "openid", "profile")
}
)
Excludes = @(
MSFT_AADPermissionGrantConditionSet {
Id = "exclude-high-risk-permissions"
PermissionType = "delegated"
PermissionClassification = "high"
ClientApplicationIds = @("all")
ResourceApplication = "any"
Permissions = @("all")
}
)
Ensure = "Present"
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
Permissions¶
Microsoft Graph¶
To authenticate with the Microsoft Graph API, this resource requires the following permissions:
Delegated permissions¶
- Read
-
Policy.Read.PermissionGrant
-
Update
- Policy.ReadWrite.PermissionGrant
Application permissions¶
- Read
-
Policy.Read.PermissionGrant
-
Update
- Policy.ReadWrite.PermissionGrant
Examples¶
Example 1¶
This example creates a new Azure AD Permission Grant Policy with include and exclude condition sets.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AADPermissionGrantPolicy 'CustomConsentPolicy'
{
Id = "my-custom-consent-policy"
DisplayName = "My Custom Consent Policy"
Description = "Custom policy for app consent with specific conditions"
Includes = @(
MSFT_AADPermissionGrantConditionSet {
Id = "include-low-risk-delegated"
PermissionType = "delegated"
PermissionClassification = "low"
ClientApplicationIds = @("all")
ClientApplicationTenantIds = @($TenantId)
ClientApplicationPublisherIds = @("all")
ClientApplicationsFromVerifiedPublisherOnly = $false
ResourceApplication = "00000003-0000-0000-c000-000000000000"
Permissions = @("User.Read", "openid", "profile")
}
MSFT_AADPermissionGrantConditionSet {
Id = "include-verified-publishers"
PermissionType = "delegated"
ClientApplicationIds = @("all")
ClientApplicationsFromVerifiedPublisherOnly = $true
ResourceApplication = "any"
Permissions = @("all")
}
)
Excludes = @(
MSFT_AADPermissionGrantConditionSet {
Id = "exclude-high-risk-permissions"
PermissionType = "delegated"
PermissionClassification = "high"
ClientApplicationIds = @("all")
ResourceApplication = "any"
Permissions = @("all")
}
)
Ensure = "Present"
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
}
}
Example 2¶
This example updates an existing Azure AD Permission Grant Policy by modifying its condition sets.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AADPermissionGrantPolicy 'CustomConsentPolicy'
{
Id = "my-custom-consent-policy"
DisplayName = "My Custom Consent Policy - Updated"
Description = "Updated policy with new conditions"
Includes = @(
MSFT_AADPermissionGrantConditionSet {
Id = "include-low-risk-delegated"
PermissionType = "delegated"
PermissionClassification = "low"
ClientApplicationIds = @("all")
ClientApplicationTenantIds = @($TenantId)
ClientApplicationPublisherIds = @("all")
ClientApplicationsFromVerifiedPublisherOnly = $false
ResourceApplication = "00000003-0000-0000-c000-000000000000"
Permissions = @("User.Read", "User.ReadBasic.All", "openid", "profile")
}
)
Excludes = @(
MSFT_AADPermissionGrantConditionSet {
Id = "exclude-high-risk-permissions"
PermissionType = "delegated"
PermissionClassification = "high"
ClientApplicationIds = @("all")
ResourceApplication = "any"
Permissions = @("all")
}
MSFT_AADPermissionGrantConditionSet {
Id = "exclude-application-permissions"
PermissionType = "application"
ClientApplicationIds = @("all")
ResourceApplication = "any"
Permissions = @("all")
}
)
Ensure = "Present"
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
}
}
Example 3¶
This example removes an existing Azure AD Permission Grant Policy.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
AADPermissionGrantPolicy 'CustomConsentPolicy'
{
Id = "my-custom-consent-policy"
Ensure = "Absent"
ApplicationId = $ApplicationId
TenantId = $TenantId
CertificateThumbprint = $CertificateThumbprint
}
}
}