Set-AzureADMSPermissionGrantConditionSet

Update an existing Azure Active Directory permission grant condition set.

Syntax

Set-AzureADMSPermissionGrantConditionSet
   -PolicyId <String>
   -ConditionSetType <String>
   -Id <String>
   [-PermissionType <String>]
   [-PermissionClassification <String>]
   [-ResourceApplication <String>]
   [-Permissions <System.Collections.Generic.List`1[System.String]>]
   [-ClientApplicationIds <System.Collections.Generic.List`1[System.String]>]
   [-ClientApplicationTenantIds <System.Collections.Generic.List`1[System.String]>]
   [-ClientApplicationPublisherIds <System.Collections.Generic.List`1[System.String]>]
   [-ClientApplicationsFromVerifiedPublisherOnly <Boolean>]
   [<CommonParameters>]

Description

Updates an Azure Active Directory permission grant condition set object identified by id.

Examples

Example 1: Update a permission grant condition set to includes permissions that has been classified as low.

1. Get existing permission grant policy by that need to be updated.
		
		$permissionGrantConditionSet =Get-AzureADMSPermissionGrantConditionSet -PolicyId "test1" -ConditionSetType "includes" -Id "0f81cce0-a766-4db6-a7e2-4e5f10f6abf8"

			Id                                          : 0f81cce0-a766-4db6-a7e2-4e5f10f6abf8
			PermissionType                              : delegated
			PermissionClassification                    : all
			ResourceApplication                         : ec8d61c9-1cb2-4edb-afb0-bcda85645555
			Permissions                                 : {8b590330-0eb2-45d0-baca-a00ecf7e7b87, dac1c8fa-e6e4-47b8-a128-599660b8cd5c, 
														  f6db0cc3-88cd-4c74-a374-3d8c7cc4c50b}
			ClientApplicationIds                        : {00001111-aaaa-2222-bbbb-3333cccc4444, 11112222-bbbb-3333-cccc-4444dddd5555}
			ClientApplicationTenantIds                  : {aaaabbbb-0000-cccc-1111-dddd2222eeee, bbbbcccc-1111-dddd-2222-eeee3333ffff, 
														  ccccdddd-2222-eeee-3333-ffff4444aaaa}
			ClientApplicationPublisherIds               : {verifiedpublishermpnid}
			ClientApplicationsFromVerifiedPublisherOnly : True
			
		2. Update PermissionClassification 
		
		Set-AzureADMSPermissionGrantConditionSet -PolicyId "test1" -ConditionSetType "includes" -Id $permissionGrantConditionSet.Id -PermissionClassification low

			Id                                          : 0f81cce0-a766-4db6-a7e2-4e5f10f6abf8
			PermissionType                              : delegated
			PermissionClassification                    : low
			ResourceApplication                         : ec8d61c9-1cb2-4edb-afb0-bcda85645555
			Permissions                                 : {8b590330-0eb2-45d0-baca-a00ecf7e7b87, dac1c8fa-e6e4-47b8-a128-599660b8cd5c, 
														  f6db0cc3-88cd-4c74-a374-3d8c7cc4c50b}
			ClientApplicationIds                        : {00001111-aaaa-2222-bbbb-3333cccc4444, 11112222-bbbb-3333-cccc-4444dddd5555}
			ClientApplicationTenantIds                  : {aaaabbbb-0000-cccc-1111-dddd2222eeee, bbbbcccc-1111-dddd-2222-eeee3333ffff, 
														  ccccdddd-2222-eeee-3333-ffff4444aaaa}
			ClientApplicationPublisherIds               : {verifiedpublishermpnid}
			ClientApplicationsFromVerifiedPublisherOnly : True

Example 2: Update a permission grant condition set

PS C:\>Set-AzureADMSPermissionGrantConditionSet -PolicyId "policy1" -ConditionSetType "includes" -Id "00001111-aaaa-2222-bbbb-3333cccc4444" -PermissionType "Delegated" -PermissionClassification "Low" -ResourceApplication "00001111-aaaa-2222-bbbb-3333cccc4444" -Permissions @("29bf4ca5-913e-427d-8a68-5890af945109") -ClientApplicationIds @("All") -ClientApplicationTenantIds @("All") -ClientApplicationPublisherIds @("All") -ClientApplicationsFromVerifiedPublisherOnly $true

Parameters

-ClientApplicationIds

The set of client application ids to scope consent operation down to. It could be @("All") or a list of client application Ids.

Type:List<T>[String]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ClientApplicationPublisherIds

The set of client applications publisher ids to scope consent operation down to. It could be @("All") or a list of client application publisher ids.

Type:List<T>[String]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ClientApplicationsFromVerifiedPublisherOnly

A value indicates whether to only includes client applications from verified publishers.

Type:Boolean
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ClientApplicationTenantIds

The set of client application tenant ids to scope consent operation down to. It could be @("All") or a list of client application tenant ids.

Type:List<T>[String]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ConditionSetType

The value indicates whether the condition sets are included in the policy or excluded.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-Id

The unique identifier of an Azure Active Directory permission grant condition set object.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-PermissionClassification

Specific classification (all, low, medium, high) to scope consent operation down to.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Permissions

The identifier of the resource application to scope consent operation down to. It could be @("All") or a list of permission ids.

Type:List<T>[String]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-PermissionType

Specific type of permissions (application, delegated) to scope consent operation down to.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-PolicyId

The unique identifier of an Azure Active Directory permission grant policy object.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-ResourceApplication

The identifier of the resource application to scope consent operation down to. It could be "Any" or a specific resource application id.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

string

string

string

Notes

See the migration guide for Set-AzureADMSPermissionGrantConditionSet to the Microsoft Graph PowerShell.