DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’» is a community of 970,177 amazing developers

We're a place where coders share, stay up-to-date and grow their careers.

Create account Log in
Cover image for Manage Azure AD Enterprise Applications permissions using Microsoft Graph PowerShell
SRINIVAS VARUKALA
SRINIVAS VARUKALA

Posted on

Manage Azure AD Enterprise Applications permissions using Microsoft Graph PowerShell

Recently I was asked this question:

Is it supported to revoke permissions (selectively) for an enterprise application?

This blogpost shows how to manage enterprise applications permissions. Note that Azure Portal UI doesn't allow these actions, so you have to rely on some scripting. Hence this blog post.

What is an enterprise application?

I will take a snippet from one of my old posts to save some time.
snippet explaining enterprise application in Azure AD

To list permissions of an Enterprise Application

To get the list of permissions granted for a given service application you can use script posted to my GitHub Gist. Here is example output:
Sample out of PS script

To revoke existing permissions of an Enterprise Application

Let's take Waldo App as an example. Here is the enterprise application of Waldo app. Note the object id of this service principal.
Sample output of PS script
Next, view the permissions granted for this app. You can see the permissions in two tabs:

  • Admin consent and
  • User consent. Image showing AAD app permisisons To get the permissions grant for the Waldo app, run below cmdlet with its Object Id.
Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId 090beef1-f5b6-4f35-9326-6d8596e42942
Enter fullscreen mode Exit fullscreen mode

ConsentType column in the output signifies if its the Admin consent (AllPrincipals) or User consent (Principal) permissions.
Sample output of PS script

Revoke all the permissions

You can remove all the permissions completely using below cmdlet and passing the ID value from the output as the GrantId:

Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId 8e4LCbb1NU-TJm2FluQpQjqF4W-UGkRLtzPexGZThns
Enter fullscreen mode Exit fullscreen mode

Revoke the permissions selectively

In order to remove the permissions (aka scopes) selectively. Here is an example. Let's say I want to remove "User.Read" and "Directory.Read.All" scopes but retain other scopes. Create an array for the scopes to be removed:

$permissionsToRemove = @("User.Read", "Directory.Read.All")
Enter fullscreen mode Exit fullscreen mode

Get the grants using the object id:

$grant = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId 090beef1-f5b6-4f35-9326-6d8596e42942
$grant.Scope
Enter fullscreen mode Exit fullscreen mode

Here is the sample output of the scopes that are already granted:

Place.Read.All offline_access User.Read User.ReadBasic.All User.Read.All Directory.Read.All Calendars.ReadWrite openid ChatMessage.Send Chat.ReadBasic Chat.Create

Create a new array of scopes by removing the unwanted scopes.

$permissionsToRemove = $permissionsToRemove | % { $_.ToLower() }
$newPermissions = $grant.Scope.Split(" ") | ? { -not $permissionsToRemove.Contains($_.ToLower()) }
$newScope = $newPermissions -join " "
Enter fullscreen mode Exit fullscreen mode

Finally update the grant with the new scopes using the grant id.

Update-MgOauth2PermissionGrant -OAuth2PermissionGrantId $grant.Id -Scope $newScope
Enter fullscreen mode Exit fullscreen mode

Here is a sample run of the above cmdlets:
Sample output of PS script

After removing the 2 scopes here is the current permissions:
Image showing changed permissions of the app

To grant permissions to an enterprise application

Below is a sample script that shows how to add Microsoft Graph permissions to an enterprise application.

# The object id of the enterprise application 
$ObjectId = "b29d7573-2f76-49b6-b660-cc85b34fe516"
# Add the correct Graph scope to grant (e.g. User.Read)
$graphScope = "Sites.Selected"

Connect-MgGraph -Scope AppRoleAssignment.ReadWrite.All

# Get the Microsoft Graph service principal
$graph = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"

# Get the graph app role for the scope that we want to grant
$graphAppRole = $graph.AppRoles | ? Value -eq $graphScope

# Prepare the app role assignment
$appRoleAssignment = @{
    "principalId" = $ObjectId
    "resourceId"  = $graph.Id
    "appRoleId"   = $graphAppRole.Id
}

# Grant the app role
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ObjectID -BodyParameter $appRoleAssignment | Format-List

Enter fullscreen mode Exit fullscreen mode

The above script uses the AppRoleAssignment.ReadWrite.All which is a privileged permission. You can grant application permissions using app grant consent policy which doesn't require the privileged permissions. Here is a blog post from Sahil Malik that goes into details of how its done.

Top comments (0)

Update Your DEV Experience Level:

Settings

Go to your customization settings to nudge your home feed to show content more relevant to your developer experience level. πŸ›