Follow

Granting Microsoft Graph API Permissions via Script

Article published on the 27th of August, 2021.

1. Introduction

You can download the AddAPIPermission.ps1 script from the Downloads section of this article.

Since WorkPoint 3.11.1, WorkPoint requires the following API permission approvals:

  • Microsoft Graph (User.Read)
  • Microsoft Graph (People.Read)
  • Microsoft Graph (Presence.Read.All)
  • Microsoft Graph (User.ReadBasic.All)
  • Microsoft Graph (User.Read.All)

These permissions are required for Profile Card functionality in the WorkPoint Top Panel to function. You can read more about Profile Cards in this article.

Due to an issue in SharePoint, these permissions may not show up in your API Access page.

WorkPoint has therefore produced a PowerShell script which you can run in order to grant these permissions without having to access them through the API Access page.

Please be aware that the user running the script must have tenant administrator privileges.

The script will check if all necessary PowerShell modules for it's functionality are installed. If not, it will install them. Next, it will ask for your tenant name, which can be found in your WorkPoint URL or in your Azure Active Directory Administration center. Once provided, the script prompt you for your Office 365 credentials.

The script will then set all required Microsoft Graph permissions.

You can download the AddAPIPermission.ps1 script from the Downloads section of this article.

2. Running API Permission script

   2.1. Execution policies

To run the API Permission script you need an execution policy allowing the script to be run.

There are two types of execution policies which will allow for this:

  • Bypass
  • RemoteSigned

You can read more about the different types of execution policies in this article.

WorkPoint recommends setting one of these execution policies, then run the API Permission script, and then setting the execution policy back to whatever the level was originally.

Be aware that if you elect to use the "RemoteSigned" execution policy, you must unblock the script in it's file properties:

Downloads

To set your desired execution policy, follow these steps:

  1. Open your Windows Start menu and search for "Windows Powershell".
  2. For Windows Powershell, select "Run as Administrator".

Next, we will find out which execution policy we are currently using. We need this information to be able to set the setting back to this original value after we run the API Permission script:

  1. In the PowerShell window, run the command "Get-Execution-Policy".
  2. Note the result of the command. This is your current execution policy.

Next, we will set the execution policy to the desired execution policy, either Bypass or RemoteSigned (In the case shown above, we are already using the RemoteSigned execution policy):

  1. In the PowerShell window, run the command "Set-ExecutionPolicy -ExecutionPolicy Bypass" to set the execution policy to Bypass. Use "RemoteSigned" instead of "Bypass" to set the execution policy to RemoteSigned.
  2. PowerShell informs you that execution policies are used for preventing harmful scripts to be run on your system, and asks you if you want to set the execution policy as commanded. Simply type a "y" and press Enter to accept.

If the command was successfully executed, you should simple see a new line, ready for input:

If you want to make sure that the execution policy was correctly set, you can run the "Get-ExecutionPolicy" command, which should now return the new execution policy value:

We have now set the execution policy, and can proceed to running the API Permission script.

   2.2. Running the API Permission script

Now that we have set an execution policy which allows us to run the API Permission script, follow these steps to run the script:

  1. Building on top of our previous commands in PowerShell, type in the path to where you have saved the API Permission script on your local device, including the name and file extension of the script. In this example, the path to the script is "C:\Users\anm\Documents\Scripts" and the title and file extension is "AddAPIPermission.ps1". This combines to the full execution path at "C:\Users\anm\Documents\Scripts\AddAPIPermission.ps1". Press Enter to run the script.
  1. The script now checks if all necessary PowerShell modules for it's functionality are installed. If they are, it imports them. If they are not, it will install them and import them. In this instance, all necessary modules are installed, and so they are imported.
  2. Next, the script will ask for your tenant name. In this demonstration, our tenant name is "wp365test".

Once you provide your tenant name and press Enter, you will be prompted for your Office 365 credentials:

  1. Enter your Office 365 credentials (user name and password).
  2. Click "OK" (or press Enter).

If the script ran successfully, you should see a "Script completed" message:

In the above example, all permissions were granted through the script.

In case some permissions have already been granted prior to running the API Permission script, you would get messages like in the following image:

   2.3. Setting Execution policy back

Now that we have granted the necessary permissions through the script, we can set our execution policies back:

  1. Remembering that originally, our execution policy was 'RemoteSigned', we run the command "Set-ExecutionPolicy RemoteSigned".
  2. We accept changing the execution policy by typing "y" and pressing Enter.
  3. We can check if the execution policy was changed by running the "Get-ExecutionPolicy" command.
  4. The system returns the current execution policy, in this case the "RemoteSigned" policy, which we just switched to, confirming that the execution policy was correctly set.
Have more questions? Submit a request