Edit

Share via

Add-EntraServicePrincipalDelegatedPermissionClassification

Module:
Microsoft.Entra Module v1.1

Add a classification for a delegated permission.

Syntax

ByServicePrincipalAndPermissionInfo 

Add-EntraServicePrincipalDelegatedPermissionClassification

    -ServicePrincipalId <String>
    -PermissionId <String>
    -Classification <ClassificationEnum>
    -PermissionName <String>
    [<CommonParameters>]

Description

The Add-EntraServicePrincipalDelegatedPermissionClassification cmdlet creates a delegated permission classification for the given permission on service principal.

Examples

Example 1: Create Delegated Permission Classification

Connect-Entra -Scopes 'Policy.ReadWrite.PermissionGrant'
$ServicePrincipal = Get-EntraServicePrincipal -Filter "DisplayName eq '<service-principal-display-name>'"
$PermissionId = $ServicePrincipal.PublishedPermissionScopes[0].Id
$PermissionName =  $ServicePrincipal.PublishedPermissionScopes[0].Value

$params = @{
    ServicePrincipalId = $ServicePrincipal.ObjectId
    PermissionId = $PermissionId
    Classification = 'Low'
    PermissionName = $PermissionName
}

Add-EntraServicePrincipalDelegatedPermissionClassification @params

Id                      Classification PermissionId                         PermissionName
--                      -------------- ------------                         --------------
T2qU_E28O0GgkLLIYRPsTwE low            fc946a4f-bc4d-413b-a090-b2c86113ec4f LicenseManager.AccessAsUser

This command creates a delegated permission classification for the given permission on the service principal. You can use the command Get-EntraServicePrincipal to get service principal ID.

  • -ServicePrincipalId parameter specifies the unique identifier of a service principal.
  • -PermissionId parameter specifies the ID for a delegated permission.
  • -Classification parameter specifies the classification for a delegated permission.
  • -PermissionName parameter specifies the name for a delegated permission.

Parameters

-Classification

The classification for a delegated permission. This parameter can take one of the following values:

  • Low: Specifies a classification for a permission as low impact.

  • Medium: Specifies a classification for a permission as medium impact.

  • High: Specifies a classification for a permission as high impact.

Parameter properties

Type:ClassificationEnum
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-PermissionId

The ID for a delegated permission.

Parameter properties

Type:System.String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-PermissionName

The name for a delegated permission.

Parameter properties

Type:System.String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ServicePrincipalId

The unique identifier of a service principal object in Microsoft Entra ID.

Parameter properties

Type:System.String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:ObjectId

Parameter sets

(All)
Position:Named
Mandatory:True
Value from pipeline:True
Value from pipeline by property name:True
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Outputs

Microsoft.Online.Administration.DelegatedPermissionClassification