![\"\"](\"https:\/\/www.lieben.nu\/liebensraum\/wp-content\/uploads\/2023\/05\/image.png\")
<\/a><\/figure>\n\n\n\nIn my scenario I have control over both the hosting tenant of this multi-tenant app registration, so I could use the requiredResourceAccess property to read all Oauth2permissiongrants and approleAssignments from the source app registration to re-apply it to the service principal in the consuming tenant.<\/p>\n\n\n\n
The result is similar to consenting through the admin portal but does not require user interaction \/ is fully headless, ideal for when you’re adding scopes\/roles to an application and don’t want to have to do a manual reconsent in all managed tenants.<\/p>\n\n\n\n
Here’s the code to to programmatic admin consent:<\/p>\n\n\n\n
https:\/\/github.com\/jflieben\/assortedFunctionsV2\/blob\/main\/grant-adminConsentForServicePrincipal.ps1<\/a><\/p>\n\n\n\n It requires DelegatedPermissionGrant.ReadWrite.All and AppRoleAssignment.ReadWrite.All graph permissions for the calling principal (user or application).<\/p>\n\n\n\n If you don’t have access to the source tenant (e.g. multi tenant), you can also simply create a hashtable with the required permissions (manual definition or export from the application manifest).<\/p>\n","protected":false},"excerpt":{"rendered":" Most articles and e.g. az module commands allow you to do an admin consent on an application object. However, Service Principals have the same option in the Azure Portal: In my scenario I have control over both the hosting tenant of this multi-tenant app registration, so I could use the requiredResourceAccess property to read all … Continue reading Programmatically grant admin consent to a service principal<\/span>