How to reduce the default permissions assigned to the MSGraph PowerShell enterprise app

Question

How to reduce the default permissions assigned to the MSGraph PowerShell enterprise app

Borchert, Eric 20

We are relatively new to Azure and our Cloud team is concerned about the default permissions that are assigned within the Microsoft Graph PowerShell enterprise app. They are looking to lock it down to read-only so it can never be used to make any programmatic changes within the entire Azure environment. Is this possible?

They are not opposed to making a copy of the enterprise app and name it Microsoft Graph PowerShell read-only, but want to know if that is the best option.

Your comments would be greatly appreciated.

Carolyne-3676 381 Reputation points

2023-10-17T10:54:57.6333333+00:00

There is guidance on revoking permissions of an Enterprise App as detailed in the documentation here - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/manage-application-permissions?pivots=portal#review-and-revoke-permissions

I quickly tried to repro this on my end and the permissions assigned to this app are specifically though that have been consented to by the Admin. I am also able to revoke any permissions.
In the event there is anything you have configured processes that requires write permissions specifically having a dependency to MS Graph PowerShell, ensure that you adjusted/amended accordingly since only read permissions will cause any tasks to fail.
I am also checking with the relevant Product Group for any further guidance and will revert on the thread should they share new insights.
Carolyne-3676 381 Reputation points

2023-10-18T06:38:59.4333333+00:00

I have checked with the relevant product group on this and they have confirmed my earlier comment above.

Accepted answer

1 additional answer

Your answer

Carolyne-3676 381 Reputation points

2023-10-17T10:54:57.6333333+00:00

There is guidance on revoking permissions of an Enterprise App as detailed in the documentation here - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/manage-application-permissions?pivots=portal#review-and-revoke-permissions

I quickly tried to repro this on my end and the permissions assigned to this app are specifically though that have been consented to by the Admin. I am also able to revoke any permissions.
In the event there is anything you have configured processes that requires write permissions specifically having a dependency to MS Graph PowerShell, ensure that you adjusted/amended accordingly since only read permissions will cause any tasks to fail.
I am also checking with the relevant Product Group for any further guidance and will revert on the thread should they share new insights.
Carolyne-3676 381 Reputation points

2023-10-18T06:38:59.4333333+00:00

I have checked with the relevant product group on this and they have confirmed my earlier comment above.

Answer 1

Carolyne-3676 381

There is guidance on revoking permissions of an Enterprise App as detailed in the documentation here - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/manage-application-permissions?pivots=portal#review-and-revoke-permissions

In the event there is anything you have configured processes that requires write permissions specifically having a dependency to MS Graph PowerShell, ensure that you adjusted/amended accordingly since only read permissions will cause any tasks to fail.

Borchert, Eric 20 Reputation points

2023-10-18T13:31:15.5533333+00:00

Thank you. The article offers some very good topics related to our issue.

Answer 2

Andy David - MVP 157.8K MVP Volunteer Moderator

Consider limiting access to the default Graph Enterprise App by assigning only those users that need access to it and set the settings on the app itself to require assignment.

You can use the sign in logs to see who has been using it. After that, you can require any users who need access to either request access and you add them to the existing enterprise app or make them register and consent their own app for their needs.

User's image

Borchert, Eric 20 Reputation points

2023-10-18T13:29:52.9566667+00:00

That part, we understand and have been doing. We want to know whether the MSGraph app will operate as designed if we restrict it to read-only for all permissions for all Azure services, (i.e. no one can use MSGraph to update a group membership or create a VM) or, based on user consent, only a select few will have the ability to create/modify/delete, but the remaining folks will have read-only.
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2023-10-18T14:39:34.6033333+00:00

How would you make it read-only?
Borchert, Eric 20 Reputation points

2023-10-18T15:30:31.3866667+00:00

That is the question. I am looking for ways to make it read-only or to create a new version of the MSGraph EntApp and make that one read-only.

Share via

How to reduce the default permissions assigned to the MSGraph PowerShell enterprise app

1 additional answer

Your answer