Graph API - Can you remove all permissions from your own app via api call?

Danny Chu 1 Reputation point
2022-01-14T14:05:41.17+00:00

Hello.

Users can remove their permissions from apps in https://account.live.com/consent

But is it possible to remove permission with an api call?

We want to make a feature so that users can remove all permissions and log out from our app without the need to go into the https://account.live.com/consent site.

Thanks in advance

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,555 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. JanardhanaVedham-MSFT 3,556 Reputation points
    2022-01-17T18:46:22.353+00:00

    Hi @Danny Chu ,

    Currently there is no Microsoft Graph API available to remove & revoke the granted permissions of the application. The easiest way is to remove/revoke the granted permissions directly in the Azure portal. This requires you to log in to the Azure portal as a global administrator, then navigate to your application and remove & revoke all the permissions granted.

    165739-image.png

    The other option is to consider using PowerShell script as mentioned in this documentation.

    Connect-AzureAD  
      
    # Get Service Principal using objectId  
    $sp = Get-AzureADServicePrincipal -ObjectId "<ServicePrincipal objectID>"  
      
    # Get all delegated permissions for the service principal  
    $spOAuth2PermissionsGrants = Get-AzureADOAuth2PermissionGrant -All $true| Where-Object { $_.clientId -eq $sp.ObjectId }  
      
    # Remove all delegated permissions  
    $spOAuth2PermissionsGrants | ForEach-Object {  
        Remove-AzureADOAuth2PermissionGrant -ObjectId $_.ObjectId  
    }  
      
    # Get all application permissions for the service principal  
    $spApplicationPermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId $sp.ObjectId -All $true | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }  
      
    # Remove all application permissions  
    $spApplicationPermissions | ForEach-Object {  
        Remove-AzureADServiceAppRoleAssignment -ObjectId $_.PrincipalId -AppRoleAssignmentId $_.objectId  
    }  
    

    In the above PowerShell script, Object ID refers to Object ID of the application.

    165795-image.png

    If the original posted question is answered then please click "Accept Answer" and kindly upvote it ,so that it will be helpful to the other community users. If you have any further questions about this answer, please click "Comment".

    2 people found this answer helpful.
    0 comments No comments

  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.