Scenario: You use the Microsoft Graph Explorer tool to test a query. It requires you to consent to a permission so you use your admin account to do this. However, you click the check box to consent for the entire organization… woops! You did not mean to give everyone permissions for “AuditLog.Read.All” so now you need to revoke this permission. The easiest way to revoke consent is to just delete the service principal, however, if there are custom settings or individual consents already applied, then you will lose those as well when the service principal is deleted. What is the solution? Use the Microsoft Graph PowerShell SDK to remove that consented permission from the service principal. This blog post will show you how to revoke permissions using the Microsoft Graph PowerShell SDK. I will use the MS Graph Explorer tool’s service principal as an example however, this technique can be used to revoke permissions for any resource on a Service Principal.
- You need to find the service principal in Enterprise Applications blade for your MS Graph Explorer tool. You can find that by going to here after signing in to the portal. Then, in the search box, type in “Graph Explorer” and find the entry that has the Homepage URL of https://developer.microsoft.com/graph/graph-explorer — it will also have the Application ID: de8bc8b5-d9f9-48b1-a8ad-b748da725064. Copy that Object Id to the clipboard.
- Enter that object Id in the PowerShell script variable $SPtoRemoveConsentOn as in this image:
- Add the app id that owns the permission. For this example, the MS Graph Resource owns the permission that we are removing so that is the variable $resourceAppThatOwnsScope. You can leave that as is for any Microsoft Graph Permission. If you have created your own permission or are removing a permission for a different resoruce, then you will need the app id that owns the permission.
- Set the variable $sopeToRemove. For our example, we are removing the scope “AuditLog.Read.All”
That is all that is needed to be set for this example. For the sake of safety, the Update command has been commented out so that you can verify your details before actually executing the script. Once you’re satisfied with the output, you can uncomment the command “Update-MgOauth2PermissionsGrant” to execute the change.
I have included in the script the actual commands that will be ran for each step, so you can compare them with my output. My output ( without running the update ):
You can find my PowerShell script here in my GitHub. Line 42 in the script is the update line that should be uncommented when you’re ready to actually execute the change.