Recommended approach for revoking permissions on uninstall (delegated permissions)

Jason Whitwill 20 Reputation points
2025-02-07T21:01:12.9466667+00:00

What is the best practice as an app that has requested delegated user permissions when the user chooses to uninstall said app (or re-install the app in case where the scopes need to change)? I'm reading that to revoke the permissions via the API one requires the DelegatedPermissionGrant.ReadWrite scope to call the oAuth2PermissionGrant API. This seems to be more likely to trigger the admin approval for the app... I'm thinking that if I'm only requesting minimal scopes it's more likely the admin will not have to approve it for them or the org (as described in Consent experience for applications in Microsoft Entra ID).

I also see the note at the bottom of the grant or revoke permissions article which states:

This method of granting permissions using Microsoft Graph is an alternative to interactive consent and should be used with caution.

This is an app that would be installed by a wide variety of different users - so I'm expecting that in many circumstances the user should be able to approve the scopes for themselves and in other enterprise level cases they'd need their admin to approve it for their tenant. I'm looking for the best practice to be able to satisfy both cases. Here is what the scopes for the app in question currently look like:

Screenshot 2025-02-07 at 3.56.05 PM

Microsoft Security | Microsoft Graph
0 comments No comments
{count} votes

Accepted answer
  1. Vasil Michev 119.8K Reputation points MVP Volunteer Moderator
    2025-02-08T15:43:08.0533333+00:00

    And end user can revoke permissions he has granted to a third-party app via the MyApps portal: https://myapps.microsoft.com/

    They will not be able to remove permissions if the admin has consented to them. Admin can also revoke delegate permissions on behalf of the user.

    You as the app owner have no say in the process, unless your app is highly privileged one (i.e. has been granted the scopes you mentioned above).


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.