The oAuth2PermissionGrant object keeps a record of user consented permissions (Delegated Permissions) in a tenant. There is one OAuth2PermissionGrant object (identified by Consent ID) for each combination of client application, resource application, and user. The sample PowerShell script in this post will perform the following tasks:

  1. Remove all MS Graph Delegated permissions (if any) for the user
  2. Perform user consent for an initial set of MS Graph permission
  3. Update the consented permission list with some additional permissions
  4. Remove some permissions from the consented permission list
  5. Remove (revoke) all consented permissions for the user


This post assumes you already have an app registration created in your tenant and a user you intend to perform consent on.

Note: There might be a short time delay for the permissions to get updated in the portal

For removing Admin Consented Delegated permission refer to Revoke Admin Consent for a delegated permission on a Service Principal with the MS Graph PowerShell SDK | Azure Active Directory Developer Support Team ( for more info

Leave a Comment