Export (0) Print
Expand All

OAuth2PermissionGrant

Updated: February 23, 2015

Applies To: Azure AD Graph

Represents the OAuth 2.0 delegated permission scopes that have been granted to an application (represented by a service principal) as part of the user or admin consent process. This topic provides descriptions of the properties of the OAuth2PermissionGrant entity type.

ImportantImportant
Beginning with version 1.5, the Permission entity type is renamed to OAuth2PermissionGrant. In versions prior to 1.5, permissions created during consent were added to the permissions property of a user or service principal.

Namespace: Microsoft.DirectoryServices for version 1.5 and newer (OAuth2PermissionGrant), Microsoft.WindowsAzure.ActiveDirectory for versions prior to 1.5 (Permission).

The OAuth2PermissionGrant entity type has the following properties:

Declared Properties

Property

Type

Create

(POST)

Read

(GET)

Update

(PATCH)

Description

clientId

Edm.String

Optional

Yes

No

Specifies the objectId of the service principal granted consent to impersonate the user when accessing the resource (represented by the resourceId).

consentType

Edm.String

Optional

Yes

No

Specifies whether consent was provided by the administrator on behalf of the organization or whether consent was provided by an individual. The possible values are “AllPrincipals” or “Principal”.

expiryTime

Edm.DateTime

Optional

Yes

Yes

Reserved. Returns null. Do not use.

objectId

Edm.String

No

Yes

No

The unique identifier for the permission scope.

Notes: key, not nullable.

principalId

Edm.String

Optional

Yes

No

If consentType is “AllPrincipals” this value is null, and the consent applies to all users in the organization. If consentType is “Principal” then this property specifies the objectId of the user that granted consent, and applies only for that user.

resourceId

Edm.String

Optional

Yes

No

Specifies the objectId of the resource service principal to which access has been granted.

scope

Edm.String

Optional

Yes

Yes

Specifies the value of the scope claim that the resource application should expect in the OAuth 2.0 access token.

startTime

Edm.DateTime

Optional

Yes

No

Reserved. Returns null. Do not use.

For information about the primitive types exposed by the EDM, see Entity Data Model: Primitive Data Types.

The following table shows how to address the permission scopes resource set, which spans all the permission scopes in the directory, and an individual permission scope. The examples in the table use the tenant domain to address the tenant. For other ways of addressing the tenant, see Addressing Entities and Operations in the Graph API.

 

Artifact URL fragment Example

Resource Set (all permission scopes)

/oauth2PermissionGrants

https://graph.windows.net/contoso.onmicrosoft.com/oauth2PermissionGrants?api-version=1.5.

Individual permission scope.

/oauth2PermissionGrants/{objectId}

https://graph.windows.net/contoso.onmicrosoft.com/oauth2PermissionGrants/12345678-9abc-def0-1234-56789abcde?api-version=1.5

noteNote
Permission scopes can also be addressed as generic directory objects by replacing “oauth2PermisssionGrants” with “directoryObjects” in the URL.

For more comprehensive information about querying directory objects, see Azure AD Graph API Common Queries and Azure AD Graph API Differential Query.

The following operations are supported on permission scopes (the HTTP method used for each is in parentheses):

  • Create (POST)

  • Read (GET)

  • Update (PATCH): scope property only.

  • Delete (DELETE)

No functions or actions may be called on permission scopes.

A principal must be in the Company Administrator role to perform operations on permission scopes.

In version 1.5 and newer, the oauth2PermissionGrants navigation property of the User entity and of the ServicePrincipal entity returns the OAuth2PermissionGrant objects associated with the user or service principal.

Prior to version 1.5, the permissions navigation property of the User entity and of the ServicePrincipal entity returns the Permission objects associated with the user or service principal.

See Also

Show:
© 2015 Microsoft