MgGraph PowerShell

Question

Hi Everyone,

I need to clear the User Consent permissions on an Enterprise App so I can run the 3rd party app again and then grant "Consent on behalf of your organisation" so all users (assigned to the Ent App) can access it.

Using MgGraph PowerShell to remove permissions from an Enterprise App and I get this pop up:

Connect-MgGraph -Scopes "Application.ReadWrite.All", "DelegatedPermissionGrant.ReadWrite.All"
# Get Service Principal using objectId
$sp = Get-MgServicePrincipal -ServicePrincipalId xxxxxx
# Get MS Graph App role assignments using objectId of the Service Principal
$assignments = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $sp.Id -All
# Remove all users and groups assigned to the application
$assignments | ForEach-Object {
    if ($_.PrincipalType -eq "User") {
        Remove-MgUserAppRoleAssignment -UserId $_.PrincipalId -AppRoleAssignmentId $_.Id
    } elseif ($_.PrincipalType -eq "Group") {
        Remove-MgGroupAppRoleAssignment -GroupId $_.PrincipalId -AppRoleAssignmentId $_.Id
    }
}

What is this for and should I accept and grant "Consent on behalf of your organisation".

Thanks, M

Answer 1

Those permissions are required in order for the PowerShell's Remove-MgUserAppRoleAssignment cmdlet to work. Without them, the script above will fail.

If you don't want to grant such permissions (and generally speaking you should not be keeping such around, as they are quite sensitive), you can instead just delete the service principal object itself via the Entra admin portal. Select the SP > go to Properties > hit Delete. Then you can just re-consent to the app.