Implementing Incremental consent when using both application and delegated permissions

Question

I have an application permission like TeamsAppInstallation.ReadWriteSelfForUser.All. I also have some delegated permissions.

I want an admin to allow a small set of permissions including the TeamsAppInstallation.ReadWriteSelfForUser.All and few delegated permissions during the initial installation phase of an app.
Later on, the admin can increment and allow all the permissions.

Using the /common/oauth2/v2.0/authorize? endpoint by adding a scope param isn't supported for application permissions.

Using the /common/adminconsent? is not incremental, as it asks the admin to authorise all application and all delegated permissions.

How can incremental consent be achieved for the admin by allowing app permissions + some delegated permissions? Is there a different/better approach for this?

Referance: Why does my request to consent admin permissions ask all permissions?

Answer 1

Alternatively, you can make use of below sample PowerShell script to add Microsoft Graph permissions of both Application and Delegated type:

Connect-MgGraph
try {
    # Define the Object ID of your application registration
    $appObjId = "your_app_reg_Obj_ID"

    # Define the list of required app roles or permissions of "Application" type
    $requiredAppRoles = @(
        "TeamsAppInstallation.ReadWriteSelfForUser.All"
    )

    # Fetch the Microsoft Graph service principal and filter its app roles
    $msGraphRoles = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'" -Property AppRoles | Select-Object -ExpandProperty appRoles

    # Define the list of required "Delegated" permissions
    $requiredOAuthPermissions = @(
        "User.Read",
        "offline_access",
        "openid",
        "profile"
    )

    # Fetch the Microsoft Graph service principal and filter its Delegated permissions
    $msGraphOAuthPermissions = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'" -Property Oauth2PermissionScopes | Select-Object -ExpandProperty Oauth2PermissionScopes | Where-Object { $requiredOAuthPermissions -contains $_.Value }

    $requiredResourceAccess = @()

    # Add app role parameters
    $appRolesParams = @{
        resourceAppId = "00000003-0000-0000-c000-000000000000"
        resourceAccess = @(
            @{
                id = ($msGraphRoles | Where-Object { $requiredAppRoles -contains $_.Value }).Id
                type = "Role"
            }
        )
    }

    # Add OAuth parameters
    $oauthParams = @{
        resourceAppId = "00000003-0000-0000-c000-000000000000" # Microsoft Graph
        resourceAccess = $msGraphOAuthPermissions | ForEach-Object {
            @{
                id = $_.Id
                type = "Scope"
            }
        }
    }

    if ($appRolesParams.resourceAccess) {
        $requiredResourceAccess += $appRolesParams
    }

    if ($oauthParams.resourceAccess) {
        $requiredResourceAccess += $oauthParams
    }

    $updateParams = @{
        ApplicationId = $appObjId
        RequiredResourceAccess = $requiredResourceAccess
    }

    Update-MgApplication @updateParams
}
catch {
    Write-Host "An error occurred: $_"
}

Response:

When I checked the same in Portal, all specified permissions added successfully like this:

To add consent to specific Microsoft Graph permissions of Delegated type, ask your admin to run below sample PowerShell script:

$params = @{
    clientId = "service_principal_ObjectID"
    consentType = "AllPrincipals"
    resourceId = "54858dc8-ace7-47d4-82b2-e74d83062e7b"
    scope = "User.Read offline_access openid profile"
}

New-MgOauth2PermissionGrant -BodyParameter $params

Response:

To confirm that, I checked the same in Portal where admin consent granted to specified Delegated permissions successfully like this:

Similarly, your admin can run below sample PowerShell script to grant consent to permissions of Application type:

$role = Get-MgServicePrincipal -Filter "displayName eq 'Microsoft Graph'" -Property AppRoles | Select-Object -ExpandProperty AppRoles | Where-Object { $_.Value -eq 'TeamsAppInstallation.ReadWriteSelfForUser.All' }
$servicePrincipalId = "service_principal_ObjectID"

$params = @{
    principalId = $servicePrincipalId
    resourceId = "54858dc8-ace7-47d4-82b2-e74d83062e7b"
    appRoleId = $role.Id
}

# Grant consent to the application permission
New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $servicePrincipalId -BodyParameter $params

Response:

When I checked the same in Portal, admin consent granted successfully to specified Application permission like this:

You can find service principal Object ID in Enterprise applications tab with same application name like this: