Share via

How can I revoke the access granted to web application to my organization's azure AD?

Anns 61 Reputation points
2023-04-04T13:15:09.6133333+00:00

I have an Azure AD tenant (global admin) account to manage users. Using consent framework "prompt=admin_consent", I granted access rights to one of my web applications already registered in Azure AD (which is managed by me) to use graph API for Office 365 services, After granting access using admin consent, all my Azure AD users are able to authenticate themselves against Azure AD. But after getting the access token from the backend I just identified that I have granted fewer perms to fulfill my task so I added the remaining perms in the Azure AD web app and followed again the Oauth process. I got new and old perms in my access token but in a third-party organization's account, the newly added perms are still missing. We tried to remove the access granted to the web app to revoke the access granted and re-configure the third-party organization's account But we are unable to see the application the access granted to using https://myapps.microsoft.com. How can we revoke the access granted to my or a third-party application from my or third-party organization's Azure AD?

I have added all the required scopes(Old + Newly Added) in my Authorization URL and Web Application API Permissions in Azure AD.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,970 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Graph
0 comments
Accepted answer
  1. Vasil Michev 119.7K Reputation points MVP Volunteer Moderator
    2023-04-04T13:30:33.56+00:00

    You shouldn't need to remove the app, just re-trigger the consent process and have an admin from the other tenant complete it. This will result in adding the required permissions. Otherwise, you can either remove the app entry under Azure AD blade > Enterprise apps (you cannot do the same task via the myApps portal), or use PowerShell to remove individual permission entries. You can get a list of the relevant cmdlets by selecting the app under Enterprise apps > Permissions > Review permissions > select This application has more permissions than I want. Here's a sample set of cmdlets to use:

    Connect-AzureAD

# Get Service Principal using objectId
$sp = Get-AzureADServicePrincipal -ObjectId "db23f88f-d49d-42b0-b30c-bc3cad9bf224"

# Get all delegated permissions for the service principal
$spOAuth2PermissionsGrants = Get-AzureADOAuth2PermissionGrant -All $true| Where-Object { $_.clientId -eq $sp.ObjectId }

# Remove all delegated permissions
$spOAuth2PermissionsGrants | ForEach-Object {
    Remove-AzureADOAuth2PermissionGrant -ObjectId $_.ObjectId
}

# Get all application permissions for the service principal
$spApplicationPermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId $sp.ObjectId -All $true | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }

# Remove all delegated permissions
$spApplicationPermissions | ForEach-Object {
    Remove-AzureADServiceAppRoleAssignment -ObjectId $_.PrincipalId -AppRoleAssignmentId $_.objectId
}
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.