Edit

Share via

Get-EntraBetaOAuth2PermissionGrant

  • Reference
Module:
Microsoft.Entra.Beta

Gets OAuth2PermissionGrant entities.

Syntax

Get-EntraBetaOAuth2PermissionGrant
   [-Top <Int32>]
   [-All]
   [-Property <String[]>]
   [<CommonParameters>]

Description

The Get-EntraBetaOAuth2PermissionGrant cmdlet gets OAuth2PermissionGrant entities in Microsoft Entra ID.

In delegated scenarios with work or school accounts, the signed-in user must be assigned a supported Microsoft Entra role or a custom role with the necessary permissions. The following least privileged roles are supported for this operation:

  • Application Administrator
  • Application Developer
  • Cloud Application Administrator
  • Directory Writers
  • Privileged Role Administrator
  • User Administrator
  • Directory Readers
  • Global Reader

Examples

Example 1: Get the OAuth2 permission grants

Connect-Entra -Scopes 'Directory.Read.All'
Get-EntraBetaOAuth2PermissionGrant

Id                              ClientId                             ConsentType   ExpiryTime          PrincipalId                          ResourceId                            Scope
--                              --------                             -----------   ----------          -----------                          ----------                            -----
A1bC2dE3fH4iJ5kL6mN7oP8qR9sT0u  00001111-aaaa-2222-bbbb-3333cccc4444 AllPrincipals 1/3/2024 1:28:59 PM                                      a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  User.ReadBasic.All
C2dE3fH4iJ5kL6mN7oP8qR9sT0uV1w  00001111-aaaa-2222-bbbb-3333cccc4444 AllPrincipals 1/3/2024 1:28:59 PM                                      b1b1b1b1-cccc-dddd-eeee-f2f2f2f2f2f2  User.Read
E3fH4iJ5kL6mN7oP8qR9sT0uV1wX2y  22223333-cccc-4444-dddd-5555eeee6666 Principal     1/3/2024 1:28:59 PM aaaaaaaa-bbbb-cccc-1111-222222222222 c2c2c2c2-dddd-eeee-ffff-a3a3a3a3a3a3  User.Read
H4iJ5kL6mN7oP8qR9sT0uV1wX2yZ3a  22223333-cccc-4444-dddd-5555eeee6666 Principal     1/3/2024 1:28:59 PM aaaaaaaa-bbbb-cccc-1111-222222222222 d3d3d3d3-eeee-ffff-aaaa-b4b4b4b4b4b4  ActivityFeed.Read ServiceHealth.Read

This command gets the OAuth2 permission grants.

Example 2: Get all the OAuth2 permission grants

Connect-Entra -Scopes 'Directory.Read.All'
Get-EntraBetaOAuth2PermissionGrant -All

Id                              ClientId                             ConsentType   ExpiryTime          PrincipalId                          ResourceId                            Scope
--                              --------                             -----------   ----------          -----------                          ----------                            -----
A1bC2dE3fH4iJ5kL6mN7oP8qR9sT0u  00001111-aaaa-2222-bbbb-3333cccc4444 AllPrincipals 1/3/2024 1:28:59 PM                                      a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  User.ReadBasic.All
C2dE3fH4iJ5kL6mN7oP8qR9sT0uV1w  00001111-aaaa-2222-bbbb-3333cccc4444 AllPrincipals 1/3/2024 1:28:59 PM                                      b1b1b1b1-cccc-dddd-eeee-f2f2f2f2f2f2  User.Read
E3fH4iJ5kL6mN7oP8qR9sT0uV1wX2y  22223333-cccc-4444-dddd-5555eeee6666 Principal     1/3/2024 1:28:59 PM aaaaaaaa-bbbb-cccc-1111-222222222222 c2c2c2c2-dddd-eeee-ffff-a3a3a3a3a3a3  User.Read
H4iJ5kL6mN7oP8qR9sT0uV1wX2yZ3a  22223333-cccc-4444-dddd-5555eeee6666 Principal     1/3/2024 1:28:59 PM aaaaaaaa-bbbb-cccc-1111-222222222222 d3d3d3d3-eeee-ffff-aaaa-b4b4b4b4b4b4  ActivityFeed.Read ServiceHealth.Read

This command gets all the OAuth2 permission grants.

Example 3: Get OAuth2 permission grants for a user in a service principal

Connect-Entra -Scopes 'Directory.Read.All'
$user = Get-EntraBetaUser -UserId '[email protected]'
$servicePrincipal = Get-EntraBetaServicePrincipal -Filter "DisplayName eq 'Helpdesk Application'"
Get-EntraBetaOAuth2PermissionGrant | Where-Object {$_.ClientId -eq $servicePrincipal.Id -and $_.PrincipalId -eq $user.Id} | Format-List

ObjectId             : E3fH4iJ5kL6mN7oP8qR9sT0uV1wX2
ClientId             : 22223333-cccc-4444-dddd-5555eeee6666
ConsentType          : Principal
Id                   : E3fH4iJ5kL6mN7oP8qR9sT0uV1wX2
PrincipalId          : aaaaaaaa-bbbb-cccc-1111-222222222222
ResourceId           : c2c2c2c2-dddd-eeee-ffff-a3a3a3a3a3a3
Scope                :  User.Read.All openid profile offline_access Organization.Read.All User.ReadWrite.All Device.Read.All Device.ReadWrite.All Directory.Read.All User.Read RoleManagement.ReadWrite.Directory Group.ReadWrite.All
AdditionalProperties : {}

This example gets the OAuth2 permission grants for a user in a service principal.

Example 4: Get top 2 OAuth2 permission grants record

Connect-Entra -Scopes 'Directory.Read.All'
Get-EntraBetaOAuth2PermissionGrant -Top 2

Id                             ClientId                             ConsentType   ExpiryTime           PrincipalId  ResourceId                            Scope
--                             --------                             -----------   ----------           ------------ ----------                            -----
A1bC2dE3fH4iJ5kL6mN7oP8qR9sT0u 00001111-aaaa-2222-bbbb-3333cccc4444 AllPrincipals 1/3/2024 1:28:59 PM               a0a0a0a0-bbbb-cccc-dddd-e1e1e1e1e1e1  User.ReadBasic.All
C2dE3fH4iJ5kL6mN7oP8qR9sT0uV1w 00001111-aaaa-2222-bbbb-3333cccc4444 AllPrincipals 1/3/2024 1:28:59 PM               b1b1b1b1-cccc-dddd-eeee-f2f2f2f2f2f2  User.Read

This command gets top 2 OAuth2 permission grants records. You can use -Limit as an alias for -Top.

Parameters

-All

List all pages.

Type:System.Management.Automation.SwitchParameter
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Property

Specifies properties to be returned

Type:System.String[]
Aliases:Select
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Top

Specifies the maximum number of records to return.

Type:System.Int32
Aliases:Limit
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False