
Hello @CPO , you can remove delegated permissions for a specific user using the Remove-MgOauth2PermissionGrant command.
Keep in mind that there may be two delegated permission grants authorizing an application to act on behalf of a user when calling an API. This can happen when a user consents for the application on their own behalf (creating an oAuth2PermissionGrant with consentType Principal, identifying the user) and then an administrator grants tenant-wide admin consent on behalf of all users (creating a second oAuth2PermissionGrant with consentType of AllPrincipals). You can use the same command to delete the latter.
Also, and to avoid the user obtaining new access tokens using any previously issued refresh token, use the Invoke-MgBetaInvalidateUserRefreshToken.
Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.