Share via

remove read.ai

David Look 1 Reputation point
2025-02-28T20:38:24.5666667+00:00

trying to remove app read.ai , the remove permission script does not work (L19 error)

Connect-MgGraph

Get Service Principal using objectId

$sp = Get-MgServicePrincipal -ServicePrincipalId d93d64c5-914a-4c04-be1b-0b4f70252a1b

Get all delegated permissions for the service principal

$spOAuth2PermissionsGrants = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $sp.Id -All

Remove all delegated permissions

$spOAuth2PermissionsGrants | ForEach-Object {

Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $_.Id

}

Get all application permissions for the service principal

$spApplicationPermissions = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id

Remove all app role assignments

$spApplicationPermissions | ForEach-Object {

Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $_.PrincipalId -AppRoleAssignmentId $_.Id

}


     | Insufficient privileges to complete the operation.  Status: 403 (Forbidden) ErrorCode:

     | Authorization_RequestDenied Date: 2025-02-28T20:32:16  Headers: Cache-Control                 : no-cache Vary

     | : Accept-Encoding Strict-Transport-Security     : max-age=31536000 request-id                    :

     | e60fdf3a-f2ab-4950-a765-fd54762bf969 client-request-id             : a8e6db3a-068e-4a7b-8156-29f6b95b4b4e

     | x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"South Central

     | US","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"SA2PEPF00004309"}} x-ms-resource-unit            :

     | 1 Date                          : Fri, 28 Feb 2025 20:32:15 GMT

  Recommendation: See service error codes: https://learn.microsoft.com/graph/errors

Remove-MgOauth2PermissionGrant_Delete: C:\bin\Read\RevokePerm.ps1:11

Line |

  11 |      Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $_.Id

     |      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

     | Insufficient privileges to complete the operation.  Status: 403 (Forbidden) ErrorCode:

     | Authorization_RequestDenied Date: 2025-02-28T20:32:16  Headers: Cache-Control                 : no-cache Vary

     | : Accept-Encoding Strict-Transport-Security     : max-age=31536000 request-id                    :

     | 2e5219ca-dd8b-440e-8916-e551d59891ea client-request-id             : ee3c4f99-d457-4501-8de2-7104e9623d44

     | x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"South Central

     | US","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"SA2PEPF00004309"}} x-ms-resource-unit            :

     | 1 Date                          : Fri, 28 Feb 2025 20:32:15 GMT

  Recommendation: See service error codes: https://learn.microsoft.com/graph/errors

Remove-MgServicePrincipalAppRoleAssignment_Delete: C:\bin\Read\RevokePerm.ps1:19

Line |

  19 |      Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $_ …

     |      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

     | Insufficient privileges to complete the operation.  Status: 403 (Forbidden) ErrorCode:

     | Authorization_RequestDenied Date: 2025-02-28T20:32:17  Headers: Cache-Control                 : no-cache Vary

     | : Accept-Encoding Strict-Transport-Security     : max-age=31536000 request-id                    :

     | 04ff1a9b-b193-4b6e-b0d2-606834858bfc client-request-id             : 52afbab3-f09c-4a83-995e-5dbf1102d02b

     | x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"South Central

     | US","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"SA2PEPF00004309"}} x-ms-resource-unit            :

     | 1 Date                          : Fri, 28 Feb 2025 20:32:16 GMT

  Recommendation: See service error codes: https://learn.microsoft.com/graph/errors

Remove-MgServicePrincipalAppRoleAssignment_Delete: C:\bin\Read\RevokePerm.ps1:19

Line |

  19 |      Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $_ …

     |      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

     | Insufficient privileges to complete the operation.  Status: 403 (Forbidden) ErrorCode:

     | Authorization_RequestDenied Date: 2025-02-28T20:32:17  Headers: Cache-Control                 : no-cache Vary

     | : Accept-Encoding Strict-Transport-Security     : max-age=31536000 request-id                    :

     | cabda20a-65b1-4b5b-be27-3c2a211a9d69 client-request-id             : 2898abae-d261-4e1f-86be-e9c955c6c40a

     | x-ms-ags-diagnostic           : {"ServerInfo":{"DataCenter":"South Central

     | US","Slice":"E","Ring":"5","ScaleUnit":"000","RoleInstance":"SA2PEPF00004309"}} x-ms-resource-unit            :

     | 1 Date                          : Fri, 28 Feb 2025 20:32:16 GMT

  Recommendation: See service error codes: https://learn.microsoft.com/graph/errors

Remove-MgServicePrincipalAppRoleAssignment_Delete: C:\bin\Read\RevokePerm.ps1:19

Line |

rerror -
Microsoft Security Microsoft Graph
Microsoft Security Microsoft Entra Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vasil Michev 119.5K Reputation points MVP Volunteer Moderator
    2025-03-02T16:27:40.3033333+00:00

    You are not meeting the permission requirements for these cmdlets, it seems. Make sure you are connected with an account that has the required role assigned (Cloud Application admin or Global Admin), and also make sure the Graph module has been granted sufficient permissions by running:

    Connect-MgGraph -Scopes DelegatedPermissionGrant.ReadWrite.All,  AppRoleAssignment.ReadWrite.All, Application.Read.All

    and grant consent if prompted.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.