[FEATURE] Register-PnPAzureADApp Permissions scope expansion

[pkbullock]

Hi Team,

Im looking at writing a sample for creating the equivalent app for PnP Management Shell, and noticed that the existing cmdlet doesn't cover all the permissions scope of the existing app for example:

• Dataverse
• PowerApps
• Power BI
• Windows Azure Active Directory
• Windows Azure Service Management API.

I might temporarily look to cover this with the Azure CLI/SDK, or if I can specify the permissions manually via a additional cmdlets if possible.

Just thought id let you know.

[ToddKlindt]

I've got this published so far, https://www.toddklindt.com/blog/Lists/Posts/Post.aspx?ID=904 I'm not sure if you've already covered all of that yet or not. I'm working on the scopes and the UI bit next.

[pkbullock]

@ToddKlindt you are ahead of me, I'll read to ensure that I'm not duplicating effort. I was going to write a script sample and started a command with all the scopes that are used under delegated. With perhaps some variations for Azure SDK, graph etc so folks can prep in a few ways.

Also I found in the PnP PowerShell repo some json files with all the scopes and descriptions that I was thinking of explaining what each are as a reference might be useful.

Happy to slow down and let you run with this since you have a lot of info already maybe or I can pinch/credit for a script sample from your post. lol. What would you like to do?

I think def working together on this given the short time frame to get helpful resources available would be good.

[ToddKlindt]

I'm in the same boat as you. I have the list of Scopes needed, but Register-PnPAzureADApp won't let me register them all, so I'm having to do a handful by hand.

You're welcome to take whatever you want from my blog post and make a sample out of it. If there's a way to give me credit, please do. Gotta keep that next MVP renewal in mind. :) If there's not, it's no big deal. Like you said, we have a short time frame to get this out there, so the more places the better.

[ToddKlindt]

To the team, Here is a list of the Scopes that I can't add with Register-PnPAzureADApp that are added by the existing Enterprise App: "AllSites.FullControl", "AppCatalog.ReadWrite.All" "Directory.AccessAsUser.All", "Tasks.ReadWrite", "ChannelMessage.Send", "TeamsAppInstallation.ReadWriteForUser", "ServiceHealth.Read", "ActivityFeed.Read", "Directory.AccessAsUser.All", "user_impersonation"

Pretty please with sugar on top add them to the validation sets. :) Or, just spitballing here, add a switch that does all the old Enterprise App scopes in one fell swoop.

Thanks

[jackpoz]

Isn't the whole point of the deprecation of the default Enterprise App that each permission will be added only as needed ?

I know it's all just delegated permissions, but still, if you recreate an exact copy of the current Enterprise App, then it's sort of missing the point.

I can imagine even having multiple app registrations with different granted permissions, different settings and different targeted users ("Assignment required" set to True limits who can use the app).

This is sort of the same process someone setting up an app registration with certificate or managed identity would have to go through: check which commands you will use, check which scopes are needed, pick the lowest possible ones.

[pkbullock]

Hi @jackpoz, of course, really good to call this out, from a security point of view following the principal of least privilege, your own registration would give you control and decision over the permissions you require or permitted to use by your organization policies.

In Entra, there are more permissions you could add, beyond what is needed by the cmdlets, once approach is to suggest a script to add them all (based on the original app), describe what they are and remove as needed e.g. if you don't need Teams Chat, just SharePoint. From a decisioning point of view its easier.

Multiple approaches here to help with the transition for a variety of audiences e.g. Dev/Prod, Skills, Knowledge, Security. So blogs, articles, examples are needed to be as supportive as possible, of course better practices on how these should be used is another great topic.

I believe there is an exercise on the cmdlets happening to map what minimum permissions are needed for each cmdlet which may take time.