Enterprise Applications: Assigning a App Role

Adding Microsoft Graph App Role Assignments to a Service Principal.

PowerShell

Connect-MgGraph -Scopes @('AppRoleAssignment.ReadWrite.All', 'Application.Read.All')

$microsoftGraphAppId = '00000003-0000-0000-c000-000000000000'
$appRolesRequired = @(
    'User.Read.All',
    'AuditLog.Read.All'
)
$microsoftGraph = Get-MgServicePrincipal -Filter "appId eq '$microsoftGraphAppId'"
$appRoles = $microsoftGraph.AppRoles | Where-Object { $_.Value -in $appRolesRequired } 
$appRoles | ForEach-Object {
    $params = @{
        "principalId" = $principalId
        "resourceId"  = $microsoftGraph.Id
        "appRoleId"   = $PSItem.Id
    }
    New-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $principalId -BodyParameter $params
}

Dependencies

Microsoft Graph SDK for PowerShell

Install-Module Microsoft.Graph -AllowClobber -Force

Connect-MgGraph

Using the Microsoft Graph Command Line Tools Enterprise Application:

Connect-MgGraph -Scopes @('')

Using an existing Access Token:

Connect-MgGraph -AccessToken (ConvertTo-SecureString 'ey..' -AsPlainText -Force)

Using an Application Registration (Platform: Mobile and desktop applications, redirect http://localhost):

Connect-MgGraph -ClientId 'abc..' -TenantId 'abc..'

Using a ClientId and Secret (Password):

$tenantId = ''
$clientId = ''
$secret = ConvertTo-SecureString '' -AsPlainText -Force
$secretCredential = New-Object System.Management.Automation.PSCredential ($clientId, $secret)
$params = @{
    'SecretCredential' = $secretCredential
    'TenantId'         = $tenantId
}
Connect-MgGraph @params