Sign in
    Sign in
    Back to top ↑
    Shared Email Templates

    Create the Shared Email Templates app consent policy

    In this article

    If you’re an IT administrator and want to allow individual users or groups of users to consent to Shared Email Templates, this guide will help you create a custom app consent policy for the add-in using PowerShell.

    Prerequisites #

    1. PowerShell 7.0 or later must be installed.

    2. The Microsoft Graph PowerShell SDK must be installed. To install it, run the following script:

      Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph

    3. You must have the Global Administrator role.

    1. To create a custom app consent policy and a custom role, run the following script:

      # Connect to MS Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.PermissionGrant", "RoleManagement.ReadWrite.Directory"

# Get the MS Graph service principal
$msGraph = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

# Variables for the custom app consent policy
$set2PolicyId = "custom-policy-shared-email-templates-2"
$set2PolicyName = "Shared Email Templates 2 custom consent policy"
$set2PolicyDescription = "This is custom consent policy for Shared Email Templates 2 app"
$set2ClientAppId = @(
    "e6f666d5-61ff-4582-8732-cedd9e55cef3"
)
$set2ScopeNames = @(
    "openid", "profile", "offline_access", "email", "User.Read", "User.ReadBasic.All", "Mail.Read", "Mail.Read.Shared", # mandatory
    "Sites.Read.All", "Files.ReadWrite.All", # attachments and images
    "Mail.Send", "Mail.Send.Shared" # mail merge campaigns
)
$set2ScopeIds = $msGraph.Oauth2PermissionScopes |
    Where-Object { $set2ScopeNames -contains $_.Value } |
    Select-Object -ExpandProperty Id

# Creating the custom app consent policy
New-MgPolicyPermissionGrantPolicy -Id $set2PolicyId -DisplayName $set2PolicyName -Description $set2PolicyDescription
New-MgPolicyPermissionGrantPolicyInclude -PermissionGrantPolicyId $set2PolicyId -PermissionType "delegated" -PermissionClassification "all" -ClientApplicationIds $set2ClientAppId -Permissions $set2ScopeIds -ResourceApplication $msGraph.AppId

# Variables for the custom role
$displayName = "Shared Email Templates 2 Users"
$description = "Allow users to grant consent to Shared Email Templates 2 on behalf of themselves (user consent)."
$templateId = (New-Guid).Guid
$rolePermissions = @{
    "allowedResourceActions" = @(
        "microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.$set2PolicyId"
    )
}

# Creating the custom role in Microsoft Entra ID
New-MgRoleManagementDirectoryRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -Description $description -TemplateId $templateId -IsEnabled:$true

    2. Go to the Microsoft Entra admin center.

    3. Sign in as a Global Administrator.

    4. Go to Roles & admins.

    5. Search for the Shared Email Templates 2 Users role, open it, and select Add assignments.

    6. Go to Select member(s).

    7. Select users or groups.

    8. Select Next.

    9. Select Active as Assignment type.

    10. Provide a justification, and then select Assign.

    1. Run the following script:

      # Connect to MS Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.PermissionGrant", "RoleManagement.ReadWrite.Directory"

# Variables for the custom app consent policy
$set2PolicyId = "custom-policy-shared-email-templates-2"

# Delete the custom app consent policy by the ID
Remove-MgPolicyPermissionGrantPolicy -PermissionGrantPolicyId $set2PolicyId

    2. Go to the Microsoft Entra admin center.

    3. Sign in as a Global Administrator.

    4. Go to Roles & admins.

    5. Search for the Shared Email Templates 2 Users role.

    6. Select the checkbox next to the role, and then select Delete custom role.

    1. To create a custom app consent policy and a custom role, run the following script:

      # Connect to MS Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.PermissionGrant", "RoleManagement.ReadWrite.Directory"

# Get the MS Graph service principal
$msGraph = Get-MgServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'"

# Variables for the custom app consent policy
$setLegacyPolicyId = "custom-policy-shared-email-templates-legacy"
$setLegacyPolicyName = "Shared Email Templates (Legacy) custom consent policy"
$setLegacyPolicyDescription = "This is custom consent policy for Shared Email Templates (Legacy) app"
$setLegacyClientAppIds = @(
    "c1e89043-a87e-4168-9620-996b6174f9ce",
    "680093f8-3534-48f1-8dae-3a13343cc03c",
    "6e8e4d5c-1979-4b55-a2e8-a7531167af15",
    "e6f666d5-61ff-4582-8732-cedd9e55cef3"
)
$setLegacyScopeNames = @(
    "openid", "profile", "offline_access", "email", "User.Read", "User.ReadBasic.All", "Mail.Read", "Mail.Read.Shared", # mandatory
    "Sites.Read.All", "Files.ReadWrite.All", # attachments and images
    "Mail.Send", "Mail.Send.Shared" # mail merge campaigns
)
$setLegacyScopeIds = $msGraph.Oauth2PermissionScopes |
    Where-Object { $setLegacyScopeNames -contains $_.Value } |
    Select-Object -ExpandProperty Id

# Creating the custom app consent policy
New-MgPolicyPermissionGrantPolicy -Id $setLegacyPolicyId -DisplayName $setLegacyPolicyName -Description $setLegacyPolicyDescription
New-MgPolicyPermissionGrantPolicyInclude -PermissionGrantPolicyId $setLegacyPolicyId -PermissionType "delegated" -PermissionClassification "all" -ClientApplicationIds $setLegacyClientAppIds -Permissions $setLegacyScopeIds -ResourceApplication $msGraph.AppId

# Variables for the custom role
$displayName = "Shared Email Templates (Legacy) Users"
$description = "Allow users to grant consent to Shared Email Templates (Legacy) on behalf of themselves (user consent)."
$templateId = (New-Guid).Guid
$rolePermissions = @{
    "allowedResourceActions" = @(
        "microsoft.directory/servicePrincipals/managePermissionGrantsForSelf.$setLegacyPolicyId"
    )
}

# Creating the custom role in Microsoft Entra ID
New-MgRoleManagementDirectoryRoleDefinition -RolePermissions $rolePermissions -DisplayName $displayName -Description $description -TemplateId $templateId -IsEnabled:$true

    2. Go to the Microsoft Entra admin center.

    3. Sign in as a Global Administrator.

    4. Go to Roles & admins.

    5. Search for the Shared Email Templates (Legacy) Users role, open it, and select Add assignments.

    6. Go to Select member(s).

    7. Select users or groups.

    8. Select Next.

    9. Select Active as Assignment type.

    10. Provide a justification, and then select Assign.

    1. Run the following script:

      # Connect to MS Graph
Connect-MgGraph -Scopes "Policy.ReadWrite.PermissionGrant", "RoleManagement.ReadWrite.Directory"

# Variables for the custom app consent policy
$setLegacyPolicyId = "custom-policy-shared-email-templates-legacy"

# Delete the custom app consent policy by the ID
Remove-MgPolicyPermissionGrantPolicy -PermissionGrantPolicyId $setLegacyPolicyId

    2. Go to the Microsoft Entra admin center.

    3. Sign in as a Global Administrator.

    4. Go to Roles & admins.

    5. Search for the Shared Email Templates (Legacy) Users role.

    6. Select the checkbox next to the role, and then select Delete custom role.

    See also #

    Let’s talk!

    Questions, feedback, or ideas - we’d love to hear from you :)
    Contact us right now