This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 68%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJW%3C/text%3E%3C/svg%3E)
What is the best practice as an app that has requested delegated user permissions when the user chooses to uninstall said app (or re-install the app in case where the scopes need to change)? I'm reading that to revoke the permissions via the API one requires the DelegatedPermissionGrant.ReadWrite scope to call the oAuth2PermissionGrant API. This seems to be more likely to trigger the admin approval for the app... I'm thinking that if I'm only requesting minimal scopes it's more likely the admin will not have to approve it for them or the org (as described in Consent experience for applications in Microsoft Entra ID).
I also see the note at the bottom of the grant or revoke permissions article which states:
This method of granting permissions using Microsoft Graph is an alternative to interactive consent and should be used with caution.
This is an app that would be installed by a wide variety of different users - so I'm expecting that in many circumstances the user should be able to approve the scopes for themselves and in other enterprise level cases they'd need their admin to approve it for their tenant. I'm looking for the best practice to be able to satisfy both cases. Here is what the scopes for the app in question currently look like:
And end user can revoke permissions he has granted to a third-party app via the MyApps portal: https://myapps.microsoft.com/
They will not be able to remove permissions if the admin has consented to them. Admin can also revoke delegate permissions on behalf of the user.
You as the app owner have no say in the process, unless your app is highly privileged one (i.e. has been granted the scopes you mentioned above).
Thank you for your reply. Follow-up question - let me know if I should ask it in a different thread...
Should we be listening for an event of some sort to remove the user's credentials and data from our side in case the user chooses to uninstall the app from https://myapps.microsoft.com/?
It's another case of "you have no say in the process". You can examine the token I suppose and check the scopes therein.
The actual event of removing user's consent can only be fetched via the Entra ID audit logs, which while possible for third-part apps, is another example of highly privileged permissions that your app will need.