DelegatedPermissionGrant.ReadWrite.All
Allows the app to manage permission grants for delegated permissions exposed by any API (including Microsoft Graph), without a signed-in user.
Permission Details
Manage all delegated permission grants
Allows the app to manage permission grants for delegated permissions exposed by any API (including Microsoft Graph), without a signed-in user.
8e8e4742-1d95-4f68-9d56-6ee75648c72a
Manage all delegated permission grants
Allows the app to manage permission grants for delegated permissions exposed by any API (including Microsoft Graph), on behalf of the signed in user.
41ce6ca6-6826-4807-84f1-1c82854f7ee5
Properties
Properties is shown from stable Microsoft Graph v1.0 metadata.
| Property | Type | Description |
|---|---|---|
clientId |
String |
The object id (not appId) of the client service principal for the application that's authorized to act on behalf of a signed-in user when accessing an API. Required. Supports $filter (eq only). |
consentType |
StringNullable |
Indicates if authorization is granted for the client application to impersonate all users or only a specific user. AllPrincipals indicates authorization to impersonate all users. Principal indicates authorization to impersonate a specific user. Consent on behalf of all users can be granted by an administrator. Nonadmin users might be authorized to consent on behalf of themselves in some cases, for some delegated permissions. Required. Supports $filter (eq only). |
id |
String |
Unique identifier for the oAuth2PermissionGrant. Read-only. |
principalId |
StringNullable |
The id of the user on behalf of whom the client is authorized to access the resource, when consentType is Principal. If consentType is AllPrincipals this value is null. Required when consentType is Principal. Supports $filter (eq only). |
resourceId |
String |
The id of the resource service principal to which access is authorized. This identifies the API that the client is authorized to attempt to call on behalf of a signed-in user. Supports $filter (eq only). |
scope |
StringNullable |
A space-separated list of the claim values for delegated permissions that should be included in access tokens for the resource application (the API). For example, openid User.Read GroupMember.Read.All. Each claim value should match the value field of one of the delegated permissions defined by the API, listed in the oauth2PermissionScopes property of the resource service principal. Must not exceed 3,850 characters in length. |
JSON Representation
JSON representation is shown from stable Microsoft Graph v1.0 metadata.
{
"clientId": "string",
"consentType": "string",
"id": "string (identifier)",
"principalId": "string",
"resourceId": "string",
"scope": "string"
}Relationships
Relationships metadata is not available for this permission mapping.
View resource documentationGraph Methods
Microsoft Graph v1.0 endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Microsoft Graph beta endpoints are mapped directly from refreshed Microsoft Learn permissions tables.
Microsoft Graph PowerShell v1.0 commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Microsoft Graph PowerShell beta commands are mapped directly from refreshed Microsoft Learn PowerShell snippets.
Code Examples
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new OAuth2PermissionGrant
{
ClientId = "ef969797-201d-4f6b-960c-e9ed5f31dab5",
ConsentType = "AllPrincipals",
ResourceId = "943603e4-e787-4fe9-93d1-e30f749aae39",
Scope = "DelegatedPermissionGrant.ReadWrite.All",
};
// To initialize your graphClient, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Oauth2PermissionGrants.PostAsync(requestBody);const options = {
authProvider,
};
const client = Client.init(options);
const oAuth2PermissionGrant = {
clientId: 'ef969797-201d-4f6b-960c-e9ed5f31dab5',
consentType: 'AllPrincipals',
resourceId: '943603e4-e787-4fe9-93d1-e30f749aae39',
scope: 'DelegatedPermissionGrant.ReadWrite.All'
};
await client.api('/oauth2PermissionGrants')
.post(oAuth2PermissionGrant);Import-Module Microsoft.Graph.Identity.SignIns
$params = @{
clientId = "ef969797-201d-4f6b-960c-e9ed5f31dab5"
consentType = "AllPrincipals"
resourceId = "943603e4-e787-4fe9-93d1-e30f749aae39"
scope = "DelegatedPermissionGrant.ReadWrite.All"
}
New-MgOauth2PermissionGrant -BodyParameter $params# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.o_auth2_permission_grant import OAuth2PermissionGrant
# To initialize your graph_client, see https://learn.microsoft.com/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = OAuth2PermissionGrant(
client_id = "ef969797-201d-4f6b-960c-e9ed5f31dab5",
consent_type = "AllPrincipals",
resource_id = "943603e4-e787-4fe9-93d1-e30f749aae39",
scope = "DelegatedPermissionGrant.ReadWrite.All",
)
result = await graph_client.oauth2_permission_grants.post(request_body)App Registration
Navigate to Azure Portal
Go to App registrations in Microsoft Entra admin center
Add API Permission
Select your app → API permissions → Add a permission → Microsoft Graph
Select Permission Type
Choose Application permissions or delegated permissions and search for DelegatedPermissionGrant.ReadWrite.All
Grant Admin Consent
Application permissions always require admin consent.