Directors managing merchandise corresponding to Sharepoint, Groups, and Azure AD have a tendency to make use of a number of PowerShell modules as every service has its personal PowerShell module. Though this helped rather a lot, the true want is for a one-stop store that helps in managing all of the providers as an alternative of getting a number of modules. The answer is to make use of the Microsoft Graph SDK PowerShell module.
Microsoft Graph API PowerShell module presents management over all of the providers utilizing one PowerShell module, so In case you are like me, who struggles with a number of PowerShell modules to handle the cloud providers, then this put up is the put up you don’t need to miss.
Conditions
This can be a hands-on demonstration. When you’d wish to observe alongside, make sure you will have the next:
Why swap to Microsoft PowerShell Graph Module SDK?
Microsoft PowerShell Graph Module SDK permits interacting with all Microsoft APIs, together with SharePoint, Change on-line…and many others. So no want for a separate PowerShell module for every service. Microsoft will discontinue the Azure AD Graph endpoints, which implies that the AzureAD and MSOL modules will now not work and a PowerShell script rewritten is required.
Microsoft PowerShell Graph Module SDK is cross-platform and helps Home windows, macOS, and Linux
Downloading and putting in Microsoft PowerShell Graph Module SDK
Step one in getting began with Utilizing Microsoft Graph API in your Powershell session is to put in Microsoft.Graph Module. This module is rather more broadly known as the Microsoft Graph Powershell SDK, and all the cmdlets in it start with “Mg.” One other factor I like about one such module is the way it works completely with Powershell 7.
The Graph API PowerShell Module have to be downloaded first. Start by launching PowerShell 7 and coming into the next command:
Set up-Module -Title Microsoft.GraphPowerShell downloads and installs Microsoft.Graph Module on the system. This might take a couple of minutes to complete.
Sort the next cmdlet to substantiate a profitable set up.
C:> Get-Module -ListAvailable Microsoft.GraphThe return lists the set up model and title
At all times preserve your PowerShell modules up to date by operating
Replace-Module
Understanding Completely different between Microsoft Graph API vs. AzureAD PowerShell module
Authentication and authorization help are among the variations between MSOnline, AzureAD, and Microsoft Graph. Credential object and token entry authentication are supported by the legacy modules. The Microsoft Graph API, however, helps browser authentication, token entry, and certificates authentication, in addition to passing the required permissions generally known as scopes.
Touring Round and First take a look at Microsoft Graph Join-MgGraph Scopes
The PowerShell module has at present been downloaded and arrange. The subsequent step is to determine a connection to the Graph API endpoint. Use the cmdlet Join-MgGraph to connect with the Microsoft Graph API. When connecting to Microsoft Graph, issues get a bit of unusual as a result of it’s a must to specify the connection scope.
There’s no must be involved in regards to the scopes. That is lined within the tutorial, however for now, let’s have a look round and see how issues look.
Run the next line to connect with the Microsoft Graph API through PowerShell.
Join-MgGraph -Scopes "Consumer.Learn.All","Group.ReadWrite.All","GroupMember.ReadWrite.All"Following the execution of the Join-MgGraph cmdlet, a brand new browser session is launched, requesting authentication. That is how browser authentication seems.
Following authentication, it’s essential to settle for the permissions listed
Whenever you click on Settle for, you authorize this software/script to entry the desired permission.
Then the browser shows a message “Authentication full. You possibly can return to the appliance. Be at liberty to shut this browser tab.”
Shut the browser, open again PowerShell, and now you might be related. PowerShell exhibits a welcome message.
You might be related, however what are these permissions, the scope, and the way do you discover the required scope?
Understanding Microsoft Graph Permissions and Scope
Purposes that use Graph API, corresponding to Azure Lively Listing, Groups… and many others., have their permission chunked right into a small permission set. For instance, Azure Lively Listing permission is chunked to an inventory of a small set of permission corresponding to Consumer.Learn.All, Group.ReadWrite.All…and many others.
Any third-party software that connects to Azure Lively Listing utilizing Graph API must specify the permission it wants for it to work appropriately. These small permission are known as Scope.
A number of permission scopes defend every API within the Microsoft Graph. The logged-in person should conform to a number of of the required scopes for the APIs you plan to make use of.
Even when the worldwide admin account is used for authentication, the worldwide admin should specify the entry and consent permission scope. In distinction to older modules corresponding to AzureAD and MSOnline, the admin has full entry as soon as related.
Understanding Microsoft Graph API Scope
Microsoft Graph makes use of a easy sample: Useful resource.Operation.Constraint, for instance, Consumer.Learn grant the permission to learn the person profile for the signed-in person.
Consumer, Group, Object, and so forth are all examples of sources.
Operation: Might be one in every of Learn, Write, Replace, and so forth.
The constraint factor determines the extent of entry the app/script must the listing. There are 4 constraints, however the focus of this put up is on two:
- All: Grant permission to carry out the Operation on all Useful resource sorts within the listing. For instance, Consumer.Learn.All grant permission to learn all of the person’s profiles within the listing.
- If no constraint is specified, the scope is restricted to what the signed-in person can do, for instance, the Consumer.Learn scope reads solely the signed-in person data.
If a number of scopes are required, corresponding to studying person’s data and teams data, the scope is separated by a comma “,”. Akin to Consumer.Learn, Group.Learn
To connect with Graph API to carry out learn operations for all customers and teams within the listing, use the next.
Join-MgGraph -Scope @('Consumer.Learn.All', 'Group.Learn.All')Learn Extra about Microsoft Graph Permission on Microsoft.com
How PowerShell Authenticates with Microsoft Graph API.
Interacting with Microsoft Graph necessitates Authentication and Authorization.
Introduction to Microsoft Graph API Authentication
- Authentication: The authentication may be one of many following:
- Delegate Authentication: The person should sort the username and password and have a legitimate account with the tenant. normally, one of these authentication opens up a browser window for the person to authenticate.
- Professionals: If the person has already authenticated to the workplace 365 net interface, there isn’t any must authenticate.
- You gained’t must deal with the MFA half and do a lot work to authenticate the person, all dealt with by the online browser and the PowerShell Module.
- Cons: person expertise shouldn’t be pleasant because the person must navigate exterior the PowerShell and use the browser to authenticate.
- Gained’t assist in automation.
- Professionals: If the person has already authenticated to the workplace 365 net interface, there isn’t any must authenticate.
- Utility Authentication: Seemless authentication gained’t ask the person for a username or password from the person. How?. First, the Azure admin ought to have registered an App in Azure Lively Listing –> App Registrations.
This course of creates a Service Principal Names SPN used throughout the authentication. Think about this just like a username.
After registering the appliance. You should have a Consumer ID and shopper credentials. The Consumer ID, Tenant ID, and the shopper credentials data shall be used within the PowerShell script to attach and authenticate your script to the cloud.
The Consumer Credentials may be one of many following:- Certificates
- Consumer Secrets and techniques
- Federated Credentials.
- Delegate Authentication: The person should sort the username and password and have a legitimate account with the tenant. normally, one of these authentication opens up a browser window for the person to authenticate.
Introduction to Microsoft Graph API Authorization
After profitable authentication, there are two steps, Authorization, and Consent.
- Authorization / Permission: Two sorts of permission may be requested.:
- Delegated: The permission is granted when a Delegate Authentication is used throughout the login course of. If permitted, it grants entry to the signed-in person’s knowledge or the scope specified. Nevertheless, an intersection of the efficient permissions between the scope and user-assigned privilege is utilized.
For instance, User1 is a non-administrative who has the Consumer.ReadWrite.All. The Consumer.ReadWrite.All permit User1 to learn and replace all of the person profiles within the group. But when User1 tries to replace any person profile, it would fail as User1 lacks the required privileges to hold out such an operation. User1 can nonetheless replace his/her account data solely.
Nevertheless, if an administrator with the required Azure roles connects and makes an attempt to replace the person data whereas related with the suitable scope, this administrator will be capable of replace any person profile within the group.
- Utility: The tenant admin ought to assign the appliance the required permission and consent. The permission provisioning is finished by Azure Lively Listing App Registration. Permission is assigned by including them to the checklist of API Permissions.
Utility Authorization is used for background purposes or providers that don’t require person login. Not like delegated permissions, efficient permissions are the permissions granted by assigning the scope required to the appliance.
For instance, an software with Consumer.ReadWrite.All have the facility to replace all of the person profiles within the group, there isn’t any want so as to add this software to any AAD function.
- Delegated: The permission is granted when a Delegate Authentication is used throughout the login course of. If permitted, it grants entry to the signed-in person’s knowledge or the scope specified. Nevertheless, an intersection of the efficient permissions between the scope and user-assigned privilege is utilized.
- Consents: The consent is Microsoft’s means of telling that this script/App makes use of these permissions and also you conform to it. There are two sorts of consent:
- Static Consumer Consent: When utilizing Delegated permission, the related person shall be prompted to consent and settle for the permissions, very similar to whenever you set up an app in your cell machine. You might be notified that this software will use these permissions, and it’s essential to settle for them.
- Admin Consent: Used with Utility Permission because the script must entry knowledge in all of the tenants, so the administrator wants so as to add the permissions to the registered software, consent, and settle for these permissions by the Azure Lively Listing portal, App Registration
In search of a deep dive, Take a look at Permissions and Consent within the Microsoft identification platform
How Restricted Non-Administrative Consumer Request For Scope Permission
If the Azure administrator allows the next setting, restricted customers can request entry to a selected scope.
- Azure Lively Listing
- Enterprise Utility
- Consumer Setting
- Underneath the Admin Consent requests –> Customers can request admin consent to apps they’re unable to consent to.
Assume a restricted person makes an attempt to attach and request the Consumer.Readwrite.All. The Consumer.ReadWrite.All are thought-about excessive permission, and restricted customers don’t have entry to such endpoints. Nevertheless, the person nonetheless will get a message whereas authentication requests to sort a justification for this request.
The Azure admin must approve this request from the Enterprise Utility –> Admin Consent Requests.
But when the Azure admin didn’t allow the Admin Consent requests –> Customers can request admin consent to apps they’re unable to consent to. The connecting person will get the next message.
Wants permission to entry sources in your group that solely an admin can grant. Please ask an admin to grant permission to this app earlier than you should utilize it.
You possibly can learn extra about find out how to join utilizing Utility Registration by studying Hook up with Microsoft Graph PowerShell Utilizing an App Registration.
Discovering Microsoft Graph Scope and Permissions.
The important thing to profitable execution is figuring out the suitable scope. In any other case, the script is not going to run. There are a number of methods to acquire this data:
Microsoft Graph SDK PowerShell Module has cmdlets Discover-MgGraphCommand and Discover-MgGraphPermissions which helps find the obtainable permissions for an operation.
Utilizing Discover-MgGraphPermissions
The Discover-MgGraphPermissions cmdlet helps discover the associated permission for a given area, corresponding to a Consumer area or an software.
The examples under checklist all obtainable permissions for the Consumer area. It incorporates the Title in addition to the Description.
One of the best permission to make use of the Consumer.Learn.All. If it is advisable replace the person data, then you should utilize the Consumer.ReadWrite.All
PS C:> Discover-MgGraphPermission person -PermissionType Delegated | Choose-Object Title, Description
Title Description
---- -----------
.
.
Consumer.Export.All Permits the app to export knowledge (e.g. buyer content material or system-generated logs), related to any person in your organization, when the app is utilized by a privileged person (e.g. a Firm Administrator).
Consumer.Invite.All Permits the app to ask visitor customers to the group, on behalf of the signed-in person.
Consumer.ManageIdentities.All Permits the app to learn, replace and delete identities which might be related to a person's account that the signed-in person has entry to. This controls the identities customers can sign-in with.
Consumer.Learn Lets you register to the app along with your organizational account and let the app learn your profile. It additionally permits the app to learn primary firm data.
Consumer.Learn.All Permits the app to learn the total set of profile properties, studies, and managers of different customers in your group, on behalf of the signed-in person.
Consumer.ReadBasic.All Permits the app to learn a primary set of profile properties of different customers in your group in your behalf. Consists of show title, first and final title, e mail handle and picture.
Consumer.ReadWrite Permits the app to learn your profile, and uncover your group membership, studies and supervisor. It additionally permits the app to replace your profile data in your behalf.
Consumer.ReadWrite.All Permits the app to learn and write the total set of profile properties, studies, and managers of different customers in your group, on behalf of the signed-in person.
.Output trimmed to shorten the end result.
This helps find the permission scope required to do a selected operation. However now we have to know what cmdlet to behave.
Utilizing Discover-MgGraphCommand
The Discover-MgGraphCommand cmdlet helps discover the command to carry out an operation and checklist the obtainable usable permission to run the instructions.
Discover-MgGraphCommand makes use of -URI parameter which helps discover all of the associated cmdlets for a selected API endpoint. For instance. we have to discover the cmdlets within the Customers API.
The Microsoft Graph REST API v1.0 reference is a simple means additionally to search out all of the details about the scopes, permission and command
C:> Discover-MgGraphCommand -Uri "/customers/{id}" -ApiVersion v1.0 | Format-list Command,Permissions
Command : Get-MgUser
Permissions : {DeviceManagementApps.Learn.All, DeviceManagementApps.ReadWrite.All, DeviceManagementManagedDevices.Learn.All, DeviceManagementManagedDevices.ReadWrite.All…}
Command : Take away-MgUser
Permissions : {DeviceManagementApps.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, Consumer.ReadWrite.All}
Command : Replace-MgUser
Permissions : {DeviceManagementApps.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, Listing.AccessAsUser.All…}The URI parameter worth appears to be like like the next “/Useful resource/{id}” as in “/customers/{id}” simply be sure so as to add the {id} on the finish, and also you get all of the cmdlets associated to the useful resource required.
There isn’t a worth for the {id}, you don’t want to interchange the {id} with any worth, simply sort it as it’s, {id}
The next instance lists all of the obtainable permission to run Get-MgUser. The Get-MgUser will get all customers within the tenant.
Open PowerShell and kind the next line.
Discover-MgGraphCommand -Command Get-MgUser | Choose-Object command,PermissionsDid you discover the Permission column? Use the next cmdlet to get the permissions.
PowerShell lists the Get-MgUsercmdlet obtainable in each the present model and the beta model.
PS C:> Discover-MgGraphCommand -Command Get-MgUser | Choose-Object command,Permissions
Command Permissions
------- -----------
Get-MgUser {DeviceManagementApps.Learn.All, DeviceManagementApps.ReadWrite.All, DeviceManagementManagedDevices.Learn.All…
Get-MgUser {DeviceManagementApps.Learn.All, DeviceManagementApps.ReadWrite.All, DeviceManagementManagedDevices.Learn.All…
Get-MgUser {DeviceManagementApps.Learn.All, DeviceManagementApps.ReadWrite.All, DeviceManagementManagedDevices.Learn.All…
Get-MgUser {DeviceManagementApps.Learn.All, DeviceManagementApps.ReadWrite.All, DeviceManagementManagedDevices.Learn.All…Let’s slender it down, exclude the beta, and increase the permissions to checklist all of the obtainable permissions that can be utilized to run Get-MgUser efficiently.
PS C:> Discover-MgGraphCommand -Command Get-MgUser | Choose-Object -First 1 -ExpandProperty Permissions
Title IsAdmin Description FullDescription
---- ------- ----------- ---------------
DeviceManagementApps.Learn.All True Learn Microsoft Intune apps Permits the app to learn the properties, group assignments and standing of apps, app configurations and app safety insurance policies managed by Microsoft Intune.
DeviceManagementApps.ReadWrite.All True Learn and write Microsoft Intune apps Permits the app to learn and write the properties, group assignments and standing of apps, app configurations and app safety insurance policies managed by Microsoft Intune.
DeviceManagementManagedDevices.Learn.All True Learn units Microsoft Intune units Permits the app to learn the properties of units managed by Microsoft Intune.
DeviceManagementManagedDevices.ReadWrite.All True Learn and write Microsoft Intune units Permits the app to learn and write the properties of units managed by Microsoft Intune. Doesn't permit excessive influence operations corresponding to distant wipe and password reset on the machine’s proprietor.
DeviceManagementServiceConfig.Learn.All True Learn Microsoft Intune configuration Permits the app to learn Microsoft Intune service properties together with machine enrollment and third occasion service connection configuration.
DeviceManagementServiceConfig.ReadWrite.All True Learn and write Microsoft Intune configuration Permits the app to learn and write Microsoft Intune service properties together with machine enrollment and third occasion service connection configuration.
Listing.AccessAsUser.All True Entry the listing as you Permits the app to have the identical entry to data in your work or faculty listing as you do.
Listing.Learn.All True Learn listing knowledge Permits the app to learn knowledge in your group's listing.
Listing.ReadWrite.All True Learn and write listing knowledge Permits the app to learn and write knowledge in your group's listing, corresponding to different customers, teams. It doesn't permit the app to delete customers or teams, or reset person passwords.
Consumer.Learn.All True Learn all customers' full profiles Permits the app to learn the total set of profile properties, studies, and managers of different customers in your group, in your behalf.
Consumer.ReadBasic.All False Learn all customers' primary profiles Permits the app to learn a primary set of profile properties of different customers in your group in your behalf. Consists of show title, first and final title, e mail handle and picture.
Consumer.ReadWrite.All True Learn and write all customers' full profiles Permits the app to learn and write the total set of profile properties, studies, and managers of different customers in your group, in your behalf.
Microsoft Graph Relaxation API
One other straightforward possibility is to go straight to Microsoft Documentation. This doc consists of quite a lot of data with examples of every permission and find out how to use it. All permissions are categorized based mostly on sources.
If that is your first time studying about utilizing Microsoft Graph SDK PowerShell Module, then it’s okay to really feel a bit misplaced. Apply is the important thing. Lets’s put it collectively and clear the confusion by making an attempt examples.
Utilizing Azure Lively Listing to search out Microsoft Graph Permission Simply
You should utilize Azure Lively Listing to search out all of the permissions and scope associated to any useful resource in your group, plus you may simply filter the scope based mostly on what you need to do, like get all of the scope with Learn scope.
Open Azure Lively Listing, open Enterprise Purposes, click on on Consent and permissions, after which on Permission Classifications. Click on on Add Permission button.
Choose Microsoft Graph and an inventory of all of the obtainable sources with their associated permission displayed.
Don’t add any permission, I’m simply exhibiting find out how to discover the scope for the associated sources.
Placing all of it collectively – Instance
Within the following state of affairs, we have to get a person named AzureUser and skim the person property corresponding to Division and supervisor.
Begin by opening PowerShell 7 and import the Microsoft Graph PowerShell Module by utilizing.
Import-module Microsoft.GraphNow the following step is discovering the required cmdlet. Primarily based on the requirement, we have to discover the cmdlet which reads customers’ data.
By Discover-MgGraphCommand we will move the -URI Parameter and passes the worth ‘/customers/{id}’.
C:> Discover-MgGraphCommand -Uri '/customers/{id}' -ApiVersion v1.0 | fl Command,Permissions
Command : Get-MgUser
Permissions : {DeviceManagementApps.Learn.All, DeviceManagementApps.ReadWrite.All, DeviceManagementManagedDevices.Learn.All, DeviceManagementManagedDevices.ReadWrite.All…}
Command : Take away-MgUser
Permissions : {DeviceManagementApps.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, Consumer.ReadWrite.All}
Command : Replace-MgUser
Permissions : {DeviceManagementApps.ReadWrite.All, DeviceManagementManagedDevices.ReadWrite.All, DeviceManagementServiceConfig.ReadWrite.All, Listing.AccessAsUser.All…}As for now, we have to learn person data, so let’s use the Get-MgUser, lets’s now test the required permission.
(Discover-MgGraphCommand -Command Get-MgUser -ApiVersion v1.0 )[0] | choose -ExpandProperty Permissions | choose Title, Description
With a fast learn, we have to use the Consumer.Learn.All. Let’s join
PS C:> Join-Graph -Scopes Consumer.Learn.All
Welcome To Microsoft Graph!
PS C:> Get-MgUser -UserId Azureuser@testdomain.com
Id DisplayName Mail UserPrincipalName UserType
-- ----------- ---- ----------------- --------
0a6d9460-cd81-4903-bb8d-e4964ed78083 Azure AzureUser@testdomain.comTo pick the Division use the Property parameter and kind Division.
When you run this code with out the Property parameter, you get a null end result.
PS C:> Get-MgUser -UserId AzureUser@testdomain.com | Format-Record Division,Supervisor
Division :
Supervisor : Microsoft.Graph.PowerShell.Fashions.MicrosoftGraphDirectoryObjectBe certain to make use of the Property parameter and specify the property it is advisable learn. That is by design because the SDK mirrors how Microsoft Graph API works. The API doesn’t return all properties by default.
PS C:> Get-MgUser -UserId AzureUser@testdomain.com -Property Division,Supervisor| Format-Record Division,Supervisor
Division : Take a look at Division
Supervisor : Microsoft.Graph.PowerShell.Fashions.MicrosoftGraphDirectoryObjectNow we get the Division, however I’m positive that Microsoft.Graph.PowerShell.Fashions.MicrosoftGraphDirectoryObject shouldn’t be the supervisor of the AzureUser person account.
You possibly can retrieve the Supervisor title, we have to use -ExpandProperty parameter because the Supervisor worth is a PowerShell object, and to see the total element of this object, run the next line.
PS C:> (Get-MgUser -UserId AzureUser@testdomain.com -ExpandProperty Supervisor).Supervisor.AdditionalProperties.displayName
Faris MalaebNotice that the displayname within the Supervisor.AdditionalProperties.displayName is case delicate, in any other case, you get an empty outcomes
To get each Division and Supervisor properties, we have to format it utilizing the next line
PS C:> Get-MgUser -UserId AzureUser@testdomain.com -Property division -ExpandProperty Supervisor | choose Division, @{N="Supervisor"; E={$_.Supervisor.AdditionalProperties.displayName}}
Division Supervisor
---------- -------
Take a look at Division Faris Bassam MalaebTo replace the Division property for this person, use the next line and see the outcomes.
C:> Replace-MgUser -UserId AzureUser@testdomain.com -Division "My New Division"
Replace-MgUser_UpdateExpanded: Inadequate privileges to finish the operation.Replace-MgUser_UpdateExpanded: Inadequate privileges to finish the operation
The Replace-MgUser_UpdateExpanded: Inadequate privileges to finish the operation error is a typical error ,and also you would possibly face it whereas working with MS graph API. Granting the person the flexibility to connect with an endpoint may not be sufficient.
If a person granted the scope to Consumer.ReadWrite.All however this person shouldn’t be assigned the correct function that offers the person the flexibility to replace the person’s data; then the operation will fail.
To troubleshoot this situation, first, make sure the person is related and has the required scope Consumer.ReadWrite.All.
Join-MgGraph -Scopes Consumer.ReadWrite.AllKeep in mind to make use of the (Get-MgContext).Scopes to see the obtainable scope for the related person or app
No want to shut PowerShell or disconnect the energetic session. Utilizing Join-MgGraph with the brand new scope provides the required scope to the person. However the person wants to simply accept the brand new permission scope.
If the error is current and you can not replace the person data, then it is advisable assign the person the required roles. On this case, the Consumer administrator function.
Listed here are the total outcomes.
# Verify the required scope Consumer.ReadWrite.All
PS C:Customers> (Get-MgContext).Scopes
Group.Learn.All
openid
profile
Consumer.Learn
Consumer.Learn.All
Consumer.ReadWrite.All
e mail
#Earlier than assigning the Consumer Administrator AD function
PS C:Customers> Replace-MgUser -UserId AzureUser@testdomain.com -Division 'My New Division'
Replace-MgUser_UpdateExpanded: Inadequate privileges to finish the operation
#After assugning the Consumer Administrator AD Function
PS C:Customers> Replace-MgUser -UserId AzureUser@testdomain.com -Division 'My New Division'
#To Verify
PS C:Customers> get-MgUser -UserId AzureUser@testdomain.com -Property Division | Choose-Object Division
Division
----------
My New DivisionIncluding a person’s function would possibly take a couple of minutes, so be affected person. In my case, it took virtually half-hour.
So it’s a cross between the Graph API scope and what function the person has. The efficient permission is the least privilege permission, so even when the person has the Consumer Administrator function and didn’t set the connection scope, the operation fails. So be sure to make use of each as an alternative of losing your time troubleshooting why the cmdlet shouldn’t be working.
Conclusion
Microsoft Graph SDK is the route. It got here with a brand new authentication and authorization means, which wants extra consideration. This may be complicated, however take into consideration how this secures your scripts and the customers because the person wants to simply accept and consent to every permission and restrict undesirable entry.
