🔍 Code Extractor

class OAuth2PermissionGrant

Maturity: 52

Represents OAuth 2.0 delegated permissions granted to an application's service principal, allowing it to act on behalf of users when accessing APIs.

File:
/tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/directory/permissions/grants/oauth2.py
Lines:
4 - 68
Complexity:
simple

Purpose

This class models OAuth2PermissionGrant entities in Microsoft Graph API, representing delegated permissions (scopes) that have been granted to an application. It provides read-only access to permission grant details including the client application, consent type (all users or specific user), the user being impersonated, the resource API being accessed, and the specific scopes granted. This is used to query and understand what permissions have been delegated to applications in an Azure AD/Microsoft 365 environment.

Source Code

class OAuth2PermissionGrant(Entity):
    """
    Represents the delegated permissions that have been granted to an application's service principal.

    Delegated permissions grants can be created as a result of a user consenting the an application's request
    to access an API, or created directly.

    Delegated permissions are sometimes referred to as "OAuth 2.0 scopes" or "scopes".
    """

    @property
    def client_id(self):
        """
        The id of the client service principal for the application which is authorized to act on behalf of a signed-in
        user when accessing an API. Required. Supports $filter (eq only).

        :rtype: str
        """
        return self.properties.get("clientId", None)

    @property
    def consent_type(self):
        """
        Indicates if authorization is granted for the client application to impersonate all users or only a
        specific user. AllPrincipals indicates authorization to impersonate all users.
        Principal indicates authorization to impersonate a specific user. Consent on behalf of all users can be granted
        by an administrator. Non-admin users may be authorized to consent on behalf of themselves in some cases,
        for some delegated permissions. Required. Supports $filter (eq only).

        :rtype: str
        """
        return self.properties.get("consentType", None)

    @property
    def principal_id(self):
        """
        The id of the user on behalf of whom the client is authorized to access the resource, when consentType is
        Principal. If consentType is AllPrincipals this value is null. Required when consentType is Principal.
        Supports $filter (eq only).

        :rtype: str
        """
        return self.properties.get("principalId", None)

    @property
    def resource_id(self):
        """
        The id of the resource service principal to which access is authorized. This identifies the API which the
        client is authorized to attempt to call on behalf of a signed-in user. Supports $filter (eq only).

        :rtype: str
        """
        return self.properties.get("resourceId", None)

    @property
    def scope(self):
        """
        A space-separated list of the claim values for delegated permissions which should be included in access tokens
        for the resource application (the API). For example, openid User.Read GroupMember.Read.All. Each claim value
        should match the value field of one of the delegated permissions defined by the API, listed in the
        oauth2PermissionScopes property of the resource service principal. Must not exceed 3850 characters in length.

        :rtype: str
        """
        return self.properties.get("scope", None)

Parameters

Name Type Default Kind
bases Entity -

Parameter Details

Entity_base_class: Inherits from Entity base class which likely provides common functionality for Microsoft Graph entities such as property storage, serialization, and API interaction capabilities. The constructor parameters are inherited from Entity and not explicitly defined in this class.

Return Value

Instantiation returns an OAuth2PermissionGrant object that provides read-only property access to permission grant data. All properties return strings or None if the property is not set. The properties are retrieved from an internal properties dictionary inherited from the Entity base class.

Class Interface

Methods

@property client_id(self) -> str property

Purpose: Gets the ID of the client service principal authorized to act on behalf of users

Returns: String containing the client service principal ID, or None if not set. This identifies the application that has been granted permissions.

@property consent_type(self) -> str property

Purpose: Gets the type of consent indicating whether authorization applies to all users or a specific user

Returns: String value of either 'AllPrincipals' (authorization for all users) or 'Principal' (authorization for specific user), or None if not set.

@property principal_id(self) -> str property

Purpose: Gets the ID of the specific user on whose behalf the client is authorized when consent_type is Principal

Returns: String containing the user ID when consent_type is 'Principal', or None when consent_type is 'AllPrincipals' or not set.

@property resource_id(self) -> str property

Purpose: Gets the ID of the resource service principal (API) that the client is authorized to access

Returns: String containing the resource service principal ID identifying the API being accessed, or None if not set.

@property scope(self) -> str property

Purpose: Gets the space-separated list of delegated permission scopes granted to the application

Returns: String containing space-separated scope values (e.g., 'openid User.Read GroupMember.Read.All'), maximum 3850 characters, or None if not set.

Attributes

Name Type Description Scope
properties dict Internal dictionary storing the permission grant data, inherited from Entity base class. Contains keys: clientId, consentType, principalId, resourceId, scope instance

Dependencies

  • office365

Required Imports

from office365.entity import Entity
from office365.directory.permissions.oauth2_permission_grant import OAuth2PermissionGrant

Usage Example

from office365.directory.permissions.oauth2_permission_grant import OAuth2PermissionGrant
from office365.graph_client import GraphClient

# Authenticate and create client
client = GraphClient(credentials)

# Retrieve permission grants
grants = client.oauth2_permission_grants.get().execute_query()

# Access grant properties
for grant in grants:
    print(f"Client ID: {grant.client_id}")
    print(f"Consent Type: {grant.consent_type}")
    print(f"Principal ID: {grant.principal_id}")
    print(f"Resource ID: {grant.resource_id}")
    print(f"Scopes: {grant.scope}")
    
# Check if grant is for all users or specific user
if grant.consent_type == 'AllPrincipals':
    print("Grant applies to all users")
elif grant.consent_type == 'Principal':
    print(f"Grant applies to user: {grant.principal_id}")

Best Practices

  • This class provides read-only access to permission grant data through properties. Do not attempt to modify properties directly.
  • The consent_type property determines whether principal_id is relevant: when consent_type is 'AllPrincipals', principal_id will be None.
  • The scope property contains space-separated permission scopes and can be up to 3850 characters long.
  • This class is typically instantiated by the Microsoft Graph API client library, not directly by user code.
  • Use appropriate filtering when querying permission grants to avoid retrieving unnecessary data (supports $filter with eq operator).
  • Ensure your application has sufficient permissions to read OAuth2PermissionGrant objects before attempting to access them.
  • The properties are lazily evaluated from an internal properties dictionary, so accessing them multiple times is efficient.

Tags

oauth2 permissions delegated-permissions scopes microsoft-graph azure-ad service-principal consent authorization entity read-only

Similar Components

AI-powered semantic similarity - components with related functionality:

  • class PermissionScope 76.1% similar

    Represents a delegated permission definition for Microsoft identity platform applications, encapsulating permission metadata such as consent descriptions and enabled status.

    From: /tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/directory/permissions/scope.py

  • class ResourceSpecificPermissionGrant 73.9% similar

    Represents a resource-specific permission grant for an Azure AD application, providing read-only access to permission details granted to apps for Microsoft Graph resources.

    From: /tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/directory/permissions/grants/resource_specific.py

  • class SPO3rdPartyAADPermissionGrant 66.2% similar

    A SharePoint Online entity class representing a third-party Azure Active Directory (AAD) permission grant for SharePoint tenant administration.

    From: /tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/sharepoint/tenant/administration/internal/permission_grant.py

  • class PermissionGrantConditionSet 59.8% similar

    A class representing a permission grant condition set that specifies matching rules in a permission grant policy to include or exclude permission grant events in Microsoft Graph API.

    From: /tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/directory/permissions/grants/condition_set.py

  • class PermissionGrantPolicy 58.5% similar

    A class representing a permission grant policy that specifies conditions under which consent can be granted, using include and exclude condition sets.

    From: /tf/active/vicechatdev/SPFCsync/venv/lib64/python3.11/site-packages/office365/directory/policies/permission_grant.py
← Back to Browse