I am trying to automate granting admin consent for 'user_impersonation' permission. I was able to add for mggraph items but not for a user impersonation using powershell

enter image description here

using below code I was able to grant permissions for "offline_access openid but not for 'user_impersonation'. it shows no error and permission is also not being granted admin consent

# Grant admin consent for delegated permissions
$uri = "$graphBaseUri/oauth2PermissionGrants"
$body = @{
    clientId    = $principalId
    consentType = "AllPrincipals"
    resourceId  = $resourceId
    principalId = $null
    scope       = "user_impersonation offline_access openid"
} | ConvertTo-Json -Depth 10 -Compress

try {
    Invoke-RestMethod -Method $method -Uri $uri -Headers $headers -Body $body -ErrorAction Stop
} catch {
    Write-Host "Error: $($_.Exception.Message)"
    
    if ($_.Exception.Response -and $_.Exception.Response.GetResponseStream()) {
        $streamReader = New-Object System.IO.StreamReader($_.Exception.Response.GetResponseStream())
        $responseBody = $streamReader.ReadToEnd()
        Write-Host "Response Body: $responseBody"
    } else {
        Write-Host "No response body available."
    }
    exit 1
}

I am trying to automate granting admin consent for 'user_impersonation' permission. I was able to add for mggraph items but not for a user impersonation using powershell

enter image description here

using below code I was able to grant permissions for "offline_access openid but not for 'user_impersonation'. it shows no error and permission is also not being granted admin consent

# Grant admin consent for delegated permissions
$uri = "$graphBaseUri/oauth2PermissionGrants"
$body = @{
    clientId    = $principalId
    consentType = "AllPrincipals"
    resourceId  = $resourceId
    principalId = $null
    scope       = "user_impersonation offline_access openid"
} | ConvertTo-Json -Depth 10 -Compress

try {
    Invoke-RestMethod -Method $method -Uri $uri -Headers $headers -Body $body -ErrorAction Stop
} catch {
    Write-Host "Error: $($_.Exception.Message)"
    
    if ($_.Exception.Response -and $_.Exception.Response.GetResponseStream()) {
        $streamReader = New-Object System.IO.StreamReader($_.Exception.Response.GetResponseStream())
        $responseBody = $streamReader.ReadToEnd()
        Write-Host "Response Body: $responseBody"
    } else {
        Write-Host "No response body available."
    }
    exit 1
}

• microsoft-graph-api
• microsoft-entra-id

1 Answer 1

1. Pay attention to the Id which be passed in, all should be the service principal object-id

2. Make sure you header token has enough permission.

Below is a sample script, I have just test, it works well.

$graphBaseUri = "https://graph.microsoft/v1.0/"
$principalId  = 'bc5cbd61-xxxx'        ## sp object id
$resourceId   = 'a6311949-xxxx'        ## resource sp object id

$uri = "$graphBaseUri/oauth2PermissionGrants"

#
$method = 'POST'
$headers = @{
    "Content-Type" = "application/json"
    "Authorization" = "Bearer " + $token.access_token
}

$body = @{
    clientId    = $principalId
    consentType = "AllPrincipals"
    resourceId  = $resourceId
    scope       = "user_impersonation offline_access openid"
} | ConvertTo-Json -Depth 10 -Compress


Invoke-RestMethod -Method $method -Uri $uri -Headers $headers -Body $body -ErrorAction Stop

where to find: $principalId

where to find: $resourceId

Test Result: