Programmatically getting Microsoft Graph permissions
I have been doing som Go programming lately and have had to deal with outputting Microsoft Graph permissions in a human readable format. This is a bit cumbersome as the Graph API for Applications only return Ids for the permissons, and not the human readable names.
While Microsoft has pretty good documentation regarding these permissions: https://learn.microsoft.com/en-us/graph/permissions-reference, I have not found anywhere that gives information about where to get this via an API call.
If you are using Powershell, you can use the "Find-MgGrapgPermission" to do it for you. To get all Application permissions you could use Find-MgGraphPermission -PermissionType Application -All -Online
.
As this is possible, there is obviously some way to pull this via an API. Firing up Fiddler shows that it is making a request to the Graph API asking for the Graph Service Principal.
GET /v1.0/servicePrincipals?$filter=appId%20eq%20'00000003-0000-0000-c000-000000000000'
Docs: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-list?view=graph-rest-1.0&tabs=http
Currently they both return 336 Application Permissions and 402 Delegated Permissions.
In the return object, the appRoles
array are Application permissions, while oauth2PermissionScopes
are the Delegated permissions.
While this does work, using the /servicePrincipals endpoint requires a minimum of Application.Read.All permissions.
This is annoyingly overprivileged for querying what is essentially public information.