Create app consent custom role for Microsoft Graph

How to securely delegate admin consent for Microsoft Graph API permissions

App consent in Microsoft Entra is a crucial part of maintaining security and privacy within your Microsoft 365 environment. It allows applications to access specific resources, like user data or groups, ensuring that they only have access to the data they need.

Typically, the roles of Cloud Application Administrator or Application Administrator are responsible for managing these app consent requests, as they have the necessary permissions to approve or deny access to these resources.

However, for first-party applications like Microsoft Graph API and Azure AD Graph API, higher privileges (Global Administrator or Privileged Role Administrator) are required due to their extensive access capabilities.

This presents a challenge when it comes to the principle of least privilege, a security principle dictating that a user should be given the minimum levels of access necessary to complete their job functions. While we want to give consent for specific app roles, we don’t want to provide extensive access and control across all Microsoft 365 services.

One solution to this challenge is the use of custom roles with consent policies. A custom role allows you to define a set of permissions tailored to the specific needs of your operations teams and support organization.

However, implementing a custom role comes with its own set of challenges, including dealing with Permission Grant Policies and keeping up-to-date with the latest changes in Microsoft Entra’s permission model.

Despite these challenges, a custom role can provide a way to balance the need for security with the need for usability. It allows you to give your teams the access they need while still adhering to the principle of least privilege.

This PowerShell script creates a custom role in Microsoft Entra that grants the ability to consent for delegated permissions and application permissions, including most application permissions for Microsoft Graph, except for a few sensitive permissions.

Azure AD Graph permissions are explicitly excluded.

Naturally, the source code can be found as a Gist snippet on GitHub:

The behavior is based on what the Cloud Application Administrator or Application Administrator roles allow, but adding Microsoft Graph together with a blacklist of permissions we don’t want.

You may change the list of excluded app roles based on your requirements. The list essentially includes app roles that give write permissions with potential damage or uncontrolled leak of information.

For a list of possible app roles, read the Microsoft Graph permissions reference, or have a look to all app roles that Microsoft Graph uses and filter by their names:

# Read service principal details
$MSGraphSP = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"

# Search for app roles with the key word 'Write' in it
$MSGraphSP.AppRoles | Where-Object { $_.Value -like '*Write*' } | Format-Table Value, Description