How to delete users who have granted permissions to delegate App Permissions.

CPO 61 Reputation points
2023-08-29T12:08:41.24+00:00

2023-08-29 13_04_30-OneDrive - Microsoft Azure.pngI have created a delegated app permission for accessing OneDrive. A user allows the app permission and all works OK. If the user then leaves the company and we need to revoke the permission, how can we do this in Azure?

Microsoft 365 and Office | OneDrive | For business | Windows
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator
    2023-08-29T23:52:22.5166667+00:00

    Hello @CPO , you can remove delegated permissions for a specific user using the Remove-MgOauth2PermissionGrant command.

    Keep in mind that there may be two delegated permission grants authorizing an application to act on behalf of a user when calling an API. This can happen when a user consents for the application on their own behalf (creating an oAuth2PermissionGrant with consentType Principal, identifying the user) and then an administrator grants tenant-wide admin consent on behalf of all users (creating a second oAuth2PermissionGrant with consentType of AllPrincipals). You can use the same command to delete the latter.

    Also, and to avoid the user obtaining new access tokens using any previously issued refresh token, use the Invoke-MgBetaInvalidateUserRefreshToken.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and rate it so that others facing a similar issue can easily find a solution.

    1 person found this answer helpful.
    0 comments No comments

  2. kalsoom430 5 Reputation points
    2023-08-29T12:26:58.6733333+00:00

    To revoke the delegated app permission for accessing OneDrive when a user leaves the company, you can follow these steps using the Azure portal:

    1. Sign in to the Azure Portal: Use your administrator credentials to log in to the Azure porta.
    2. Navigate to Azure Active Directory:
      • In the left-hand menu, click on "Azure Active Directory."
        • Under the "Manage" section, select "Enterprise applications."
    3. Find and Select the App:
      • Use the search bar or browse through the list to find the app that was granted permission to access OneDrive.
        • Click on the app's name to open its details page.
    4. Manage Permissions:
      • In the app's details page, go to the "Permissions" section. Here, you'll find a list of permissions granted to the app.
        • Locate the specific delegated permission related to OneDrive that you want to revoke.
    5. Revoke the Permission:
      • Click on the permission you want to revoke.
        • In the permissions details page, you should see a "Grant Permissions" section. Find the user who has left the company and revoke their permissions by clicking on the "Revoke" or "Remove" option next to their name.
    6. Confirm the Revocation:
      • A confirmation dialog might appear asking you to confirm the revocation. Confirm the action.
    7. Save Changes:
      • After confirming, save your changes. The app's permission to access the user's OneDrive will be revoked.
    0 comments No comments

  3. Philippe Signoret (Microsoft) 406 Reputation points Microsoft Employee
    2023-08-30T16:23:24.4866667+00:00

    If the user account will be deleted, then just wait for that to happen--all the delegated permission grants for that user will be deleted as well.

    If you plan to keep the user account (e.g. disabled), but with to delete the delegated permission grants, the best approach is what Alfredo Revilla mentiones in his answer (the Remove-MgOAuth2PermissionGrant cmdlet)

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.