Sope of Get-AzureADOAuth2PermissionGrant

tarou chabi 731 Reputation points
2022-03-31T04:50:05.193+00:00

I want to remove the default scope.
I want to delete * .ReadWrite.All and add Group.Read.All etc. Is it possible?

PS C:\Windows\system32> $sp = Get-AzureADServicePrincipal | Where-Object {$.DisplayName -eq "Microsoft Intune PowerShell"}
PS C:\Windows\system32> $spOAuth2PermissionsGrants = Get-AzureADOAuth2PermissionGrant -All $true| Where-Object { $
.clientId -eq $sp.ObjectId }| Where-Object {$_.Scope -like "device"}
PS C:\Windows\system32> $spOAuth2PermissionsGrants | fl scope
Scope : DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementRBAC.ReadWrite.All DeviceManagemen
tApps.ReadWrite.All DeviceManagementConfiguration.ReadWrite.All DeviceManagementServiceConfig.ReadWrite.All Group.ReadWrite.All Directory.Read.All open
id

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,997 questions
0 comments No comments
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,786 Reputation points Microsoft Employee
    2022-03-31T21:33:10.827+00:00

    @tarou chabi
    Thank you for your post!

    When it comes to deleting the default scopes, for example *.ReadWrite.All, and adding Group.Read.All, and other permissions to your Service Principal. I don't believe this is possible using PowerShell since all you can do is Get/Remove the AzureADOAuth2 permission grants, but you should be able to accomplish this via the Microsoft Graph API.

    1) List oauth2PermissionGrants to retrieve a list of oAuth2PermissionGrant objects

    GET https://graph.microsoft.com/v1.0/oauth2PermissionGrants  
    

    2) Get oAuth2PermissionGrant to retrieve an oAuth2PermissionGrant object.

    ##Get oAuth2PermissionGrant ClientId == Service Principals ObjectID  
    ##Service Principal's Application ID == Azure AD App Registration's Application ID (client ID)  
    GET https://graph.microsoft.com/v1.0/oauth2PermissionGrants/AVs6JuUDjkCFV7q2gd8QTPimBBgj5iBFj0C6GwwRxC0  
    

    188945-image.png

    3) Update a delegated permission grant (oAuth2PermissionGrant) to update the properties of oAuth2PermissionGrant object

    PATCH https://graph.microsoft.com/v1.0/oauth2PermissionGrants/l5eW7x0ga0-WDOntXzHateQDNpSH5-lPk9HjD3Sarjk  
    Content-Type: application/json  
    
    {  
        "scope": "User.ReadBasic.All Group.ReadWrite.All"  
    }  
    

    188907-image.png

    I hope this helps!

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.


    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.