@tarou chabi
Thank you for your post!
When it comes to deleting the default scopes, for example *.ReadWrite.All
, and adding Group.Read.All
, and other permissions to your Service Principal. I don't believe this is possible using PowerShell since all you can do is Get/Remove the AzureADOAuth2 permission grants, but you should be able to accomplish this via the Microsoft Graph API.
1) List oauth2PermissionGrants to retrieve a list of oAuth2PermissionGrant objects
GET https://graph.microsoft.com/v1.0/oauth2PermissionGrants
2) Get oAuth2PermissionGrant to retrieve an oAuth2PermissionGrant object.
##Get oAuth2PermissionGrant ClientId == Service Principals ObjectID
##Service Principal's Application ID == Azure AD App Registration's Application ID (client ID)
GET https://graph.microsoft.com/v1.0/oauth2PermissionGrants/AVs6JuUDjkCFV7q2gd8QTPimBBgj5iBFj0C6GwwRxC0
3) Update a delegated permission grant (oAuth2PermissionGrant) to update the properties of oAuth2PermissionGrant object
PATCH https://graph.microsoft.com/v1.0/oauth2PermissionGrants/l5eW7x0ga0-WDOntXzHateQDNpSH5-lPk9HjD3Sarjk
Content-Type: application/json
{
"scope": "User.ReadBasic.All Group.ReadWrite.All"
}
I hope this helps!
If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.