How to 'Grant Permissions' Using Azure Active Directory PowerShell V2

11
votes

I've scripted the creation of my Azure Active Directory Application using Azure Active Directory PowerShell V2 and am trying to use Delegated Permissions in my Single Page Application (SPA) using implicit flow to call an API with Application Roles defined.

What PowerShell command do I need to use to replicate the 'Grant Permissions' button in the Azure Portal under the Applications Settings:

Grant Permissions Button ScreenShot from the Azure Portal

According to the Docs:

Granting explicit consent using the Grant Permissions button is currently required for single page applications (SPA) using ADAL.js, as the access token is requested without a consent prompt, which will fail if consent is not already granted.

Also, how do you tell if permissions have been granted or not? The button is always clickable? Terrible UX if you ask me.

1
powershellazureazure-active-directoryazure-ad-powershell-v2
Maybe related: docs.microsoft.com/en-us/powershell/azuread/v2/…Hackerman
This question has been answered here: stackoverflow.com/questions/47346121/…Jos

1 Answers

4
votes

This button is effectively doing admin consent. This will consent for all users in the tenant. For your case, you can force consent in the SPA rather than in PowerShell if you want to avoid the Azure Portal.

To do this, your SPA should append on the auth request either &prompt=consent or &prompt=admin_consent. The former should be applied each time a new user signs in for the first time, whereas the latter you could do one time (sign in w/ an admin account) and it would consent for all users.

Checkout understanding Admin and User Consent.