How to remove/revoke permission once granted.

Question

How to remove/revoke permission once granted.

清水明士 56

Hi, community.

When I was checking Microsoft Graph APIs for a demon type app, without users' login,
Admin gave some consents from Azure Portal to my app and Sites.FullControl.All permission from Graph Explore to me.

Since we found it worked well, it is no need to be granted anymore.
For security reasons, I think we better remove/remove permission for mean time until we will need them again.
But we could not find how to remove those permissions from Azure Portal/Graph Explore.

How to revoke/remove permissions once granted without deleting app itself from Azure Portal?

Regards.

Accepted answer

2 additional answers

Your answer

Answer 1

CarlZhao-MSFT 46,376

Hi @清水明士

There is no specific remove/revoke API, the easiest way is to revoke the granted permissions directly in the Azure portal. This requires you to log in to the Azure portal as a global administrator, then find your application and revoke the permissions granted.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

清水明士 56 Reputation points

2022-01-06T00:33:29.597+00:00

Hello @CarlZhao-MSFT ,

Thank you for a super quick reply. Your answer helped me how to remove/revoke permissions from my app.

Another thing, I would like to know how to remove/revoke Sites.FullControl.All permission given/consented by Admin on Graph Explore to me.
This permission is granted(consented?) to me/my account not to my app.
Admin and I could not find how to remove/revoke this permission from me/my account on Graph Explore/Azure Portal yet.

I will appreciate if you tell me how.

Kind regards.
CarlZhao-MSFT 46,376 Reputation points

2022-01-06T02:35:53.287+00:00

Hi @清水明士

Since graph explorer is actually a multi-tenant application, the easiest way to revoke the permission granted by the admin is to delete the enterprise application directly in the Azure portal. This will delete your service principal, which means you are deleting you permission. If you need a certain permission next time, just admin consent to it again.

Log in to the Azure portal as a global administrator, then go to the enterprise application to find graph explorer and delete it.
1.

2.
清水明士 56 Reputation points

2022-01-06T06:07:16.427+00:00

Hello, @CarlZhao-MSFT

the easiest way to revoke the permission granted by the admin is to delete the enterprise application directly in the Azure portal.

I see, deleting...

Is there a bit complicated way so that it revoke specific permissions, such as only Sites.FullControl.All ?

Following document might tell us to revoke permissions but also this way requires PowerShell and revoke all granted permissions.
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/manage-application-permissions

# Remove all delegated permissions
$spOAuth2PermissionsGrants | ForEach-Object {
Remove-AzureADOAuth2PermissionGrant -ObjectId $_.ObjectId
}
CarlZhao-MSFT 46,376 Reputation points

2022-01-07T06:58:27.137+00:00

Hi dear @清水明士 The script I'm currently testing removes all delegated permissions, but fails to remove specific permissions. I'm having a problem passing parameters, give me some time to research, thank you :)
清水明士 56 Reputation points

2022-01-12T01:47:26.917+00:00

Hello @CarlZhao-MSFT ,
Your previous solution is good enough so far.
Thank you for your cooperation.

Answer 2

Wade Lewis 21

@CarlZhao-MSFT Any update on this? Deleting the enterprise application is not a feasible solution! We just want to revoke a single permission permission for a user. Otherwise we have no means to revert these permissions once we have updates downstream to allow for reduced permission scopes.

I see that you were working on a script to remove all delegated permissions - specifically I'm trying to remove EWS.AccessAsUser.All and EAS.AccessAsUser.All permissions

Are you able to come up with any way to remove those specific permissions?

Wade Lewis 21 Reputation points

2022-04-26T00:10:35.76+00:00

I have EAS/EWS permissions that I granted months ago, and if I had a gun pointed to my head I couldn't get rid of these scopes. Do I have to delete my microsoft user account? Even still that's not a feasible solution for enterprise customers...

Any recommended solutions?
GeneralEclectic 0 Reputation points

2023-03-08T02:13:48.0833333+00:00

Assign this to the account and you can then revoke granular permissions
DelegatedPermissionGrant.ReadWrite.ALL

This allowed me to remove permissions when not required.

Answer 3

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more

Share via

How to remove/revoke permission once granted.

2 additional answers

Your answer