If you’ve configure “Do not allow user consent” and you want to assign permissions for an Enterprise application to a specific user there two options: Microsoft Graph Powershell or Microsoft Graph. In this example I’m going to use the Microsoft Graph Powershell and assign the “DeviceManagementConfiguration.ReadWrite.All” to Meganb. To accomplish this I will use parts of this script. I will need to update the user with the additional appropriate rights.
1. Megan tries to login with the “devicemanagentconfiguration.readwrite.all” scope.
2. Because see doesn’t have the appropriate permissions and Admin approval is needed for the “devicemanagentconfiguration.readwrite.all” she sees the following screen.
3. In the sign-in log the following failure will appear: “Admin consent is required for the permissions requested by this application.”
4. To assign Admin consent for a particular permission to a user, I wrote a Powershell script. This script checks if a particular user already has existing permissions and adds the permission to be added to it. If the user does not already have permissions, then only the permissions configured in the script are assigned. You can download the script here. Please test and verify the script before using it in a production environment. The use is at your own risk.
5. Open powershell and connect with an user account with a Privileged Role Administrator, Application Administrator, or Cloud Application Administrator role assigned. Because of the least privilege principle, it is not advised to use a Global Administrator for this purpose. In this example I will use an account with the Cloud Application Administrator role assigned. To configure the permissions I will need to connect with the following scope:
Connect-MgGraph -Scopes ("User.ReadBasic.All Application.ReadWrite.All " ` + "DelegatedPermissionGrant.ReadWrite.All " ` + "AppRoleAssignment.ReadWrite.All")
6. If it’s the first login with this scope you will need to approve the use of these permissions in the scope with your Cloud Application Administrator account.
7. Now I will configure the parameters for the script. This is the next part of the script:
$clientAppId = "14d82eec-204b-4c2f-b7e8-296a70dab67e" # Microsoft Graph Command Line $resourceAppId = "00000003-0000-0000-c000-000000000000" # Microsoft Graph API $permissions = @("DeviceManagementConfiguration.ReadWrite.All") #Claim value of the permissions $userUpnOrId = “Meganb@********.onmicrosoft.com” #User which will get the permissions
8. By executing the last lines of the script, the configured permission(s) wil be assigned to the user. The script will first check if permissions exist and then add or create the permissions.
9. By going to User consent permissions and filtering on DeviceManagementConfiguration.ReadWrite.All we can verify that Megan has permissions. Select the permission and now we see that Meganb has been added.
10. When Meganb now tries to login again with the “devicemanagentconfiguration.readwrite.all” scope. She will not see “admin approval” screen and will be able to login without any issues.
11. By looking in the sign-in log of the “Microsoft Graph Command Line Tools” enterprise application, we can validate that the login is successful and no more Admin consent is required.
By assigning permissions only to a particular user rather than the entire tenant (tenant-wide) you avoid potential risks. In my next blog, I’ll show you how to remove permissions from an enterprise application.
If you have any questions or comments about this blog, please let me know in the comments!