Sope of Get-AzureADOAuth2PermissionGrant

tarou chabi 731 Reputation points

I want to remove the default scope.
I want to delete * .ReadWrite.All and add Group.Read.All etc. Is it possible?

PS C:\Windows\system32> $sp = Get-AzureADServicePrincipal | Where-Object {$.DisplayName -eq "Microsoft Intune PowerShell"}
PS C:\Windows\system32> $spOAuth2PermissionsGrants = Get-AzureADOAuth2PermissionGrant -All $true| Where-Object { $
.clientId -eq $sp.ObjectId }| Where-Object {$_.Scope -like "device"}
PS C:\Windows\system32> $spOAuth2PermissionsGrants | fl scope
Scope : DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementRBAC.ReadWrite.All DeviceManagemen
tApps.ReadWrite.All DeviceManagementConfiguration.ReadWrite.All DeviceManagementServiceConfig.ReadWrite.All Group.ReadWrite.All Directory.Read.All open

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
17,532 questions
0 comments No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 34,131 Reputation points Microsoft Employee

    @tarou chabi
    Thank you for your post!

    When it comes to deleting the default scopes, for example *.ReadWrite.All, and adding Group.Read.All, and other permissions to your Service Principal. I don't believe this is possible using PowerShell since all you can do is Get/Remove the AzureADOAuth2 permission grants, but you should be able to accomplish this via the Microsoft Graph API.

    1) List oauth2PermissionGrants to retrieve a list of oAuth2PermissionGrant objects


    2) Get oAuth2PermissionGrant to retrieve an oAuth2PermissionGrant object.

    ##Get oAuth2PermissionGrant ClientId == Service Principals ObjectID  
    ##Service Principal's Application ID == Azure AD App Registration's Application ID (client ID)  


    3) Update a delegated permission grant (oAuth2PermissionGrant) to update the properties of oAuth2PermissionGrant object

    Content-Type: application/json  
        "scope": "User.ReadBasic.All Group.ReadWrite.All"  


    I hope this helps!

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

0 additional answers

Sort by: Most helpful