Review permissions granted to enterprise applications

In this article, you'll learn how to review permissions granted to applications in your Azure Active Directory (Azure AD) tenant. You may need to review permissions when you've detected a malicious application or the application has been granted more permissions than is necessary.

The steps in this article apply to all applications that were added to your Azure Active Directory (Azure AD) tenant via user or admin consent. For more information on consenting to applications, see User and admin consent.

Prerequisites

To review permissions granted to applications, you need:

  • An Azure account with an active subscription. Create an account for free.
  • One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator.
  • A Service principal owner who isn't an administrator is able to invalidate refresh tokens.

Review permissions

You can access the Azure AD portal to get contextual PowerShell scripts to perform the actions.

To review application permissions:

  1. Sign in to the Azure portal using one of the roles listed in the prerequisites section.
  2. Select Azure Active Directory, and then select Enterprise applications.
  3. Select the application that you want to restrict access to.
  4. Select Permissions. In the command bar, select Review permissions. Screenshot of the review permissions window.
  5. Give a reason for why you want to review permissions for the application by selecting any of the options listed after the question, Why do you want to review permissions for this application?

Each option generates PowerShell scripts that enable you to control user access to the application and to review permissions granted to the application. For information about how to control user access to an application, see How to remove a user's access to an application

Using the following Azure AD PowerShell script revokes all permissions granted to an application.

Connect-AzureAD Application.Read.All, Application.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

# Get Service Principal using objectId
$sp = Get-AzureADServicePrincipal -ObjectId "<ServicePrincipal objectID>"

# Get all delegated permissions for the service principal
$spOAuth2PermissionsGrants = Get-AzureADOAuth2PermissionGrant -All $true| Where-Object { $_.clientId -eq $sp.ObjectId }

# Remove all delegated permissions
$spOAuth2PermissionsGrants | ForEach-Object {
    Remove-AzureADOAuth2PermissionGrant -ObjectId $_.ObjectId
}

# Get all application permissions for the service principal
$spApplicationPermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId $sp.ObjectId -All $true | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }

# Remove all application permissions
$spApplicationPermissions | ForEach-Object {
    Remove-AzureADServiceAppRoleAssignment -ObjectId $_.PrincipalId -AppRoleAssignmentId $_.objectId
}

Invalidate the refresh tokens

Remove appRoleAssignments for users or groups to the application using the following scripts.

Connect-AzureAD Application.Read.All, Application.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

# Get Service Principal using objectId
$sp = Get-AzureADServicePrincipal -ObjectId "<ServicePrincipal objectID>"

# Get Azure AD App role assignments using objectID of the Service Principal
$assignments = Get-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -All $true | Where-Object {$_.PrincipalType -eq "User"}

# Revoke refresh token for all users assigned to the application
$assignments | ForEach-Object {
    Revoke-AzureADUserAllRefreshToken -ObjectId $_.PrincipalId
}

Using the following Microsoft Graph PowerShell script revokes all permissions granted to an application.

Connect-MgGraph Application.Read.All, Application.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

# Get Service Principal using objectId
$sp = Get-MgServicePrincipal -ServicePrincipalID "$ServicePrincipalID"

Example: Get-MgServicePrincipal -ServicePrincipalId '22c1770d-30df-49e7-a763-f39d2ef9b369'

# Get all delegated permissions for the service principal
$spOAuth2PermissionsGrants= Get-MgOauth2PermissionGrant -All| Where-Object { $_.clientId -eq $sp.Id }

# Remove all delegated permissions
$spOauth2PermissionsGrants |ForEach-Object {
  Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $_.Id
  }

# Get all application permissions for the service principal
$spApplicationPermissions = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $Sp.Id -All | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }

# Remove all application permissions
$spApplicationPermissions | ForEach-Object {
Remove-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $Sp.Id  -AppRoleAssignmentId $_.Id
 }

Invalidate the refresh tokens

Remove appRoleAssignments for users or groups to the application using the following scripts.

Connect-MgGraph Application.Read.All, Application.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All

# Get Service Principal using objectId
$sp = Get-MgServicePrincipal -ServicePrincipalID "$ServicePrincipalID"

Example: Get-MgServicePrincipal -ServicePrincipalId '22c1770d-30df-49e7-a763-f39d2ef9b369'

# Get Azure AD App role assignments using objectID of the Service Principal
$spApplicationPermissions = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalID $sp.Id -All | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }

# Revoke refresh token for all users assigned to the application
  $spApplicationPermissions | ForEach-Object {
  Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $_.PrincipalId -AppRoleAssignmentId $_.Id
  }

To review permissions, Sign in to Graph Explorer with one of the roles listed in the prerequisite section.

You'll need to consent to the following permissions:

Application.Read.All, Application.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All.

Delegated permissions

Run the following queries to review delegated permissions granted to an application.

  1. Get Service Principal using objectID

    GET /servicePrincipals/{id}
    

    Example:

    GET /servicePrincipals/57443554-98f5-4435-9002-852986eea510
    
  2. Get all delegated permissions for the service principal

    GET /servicePrincipals/{id}/oauth2PermissionGrants
    
  3. Remove delegated permissions using oAuth2PermissionGrants ID.

    DELETE /oAuth2PermissionGrants/{id}
    

Application permissions

Run the following queries to review application permissions granted to an application.

  1. Get all application permissions for the service principal

    GET /servicePrincipals/{servicePrincipal-id}/appRoleAssignments
    
  2. Remove application permissions using appRoleAssignment ID

    DELETE /servicePrincipals/{resource-servicePrincipal-id}/appRoleAssignedTo/{appRoleAssignment-id}
    

Invalidate the refresh tokens

Run the following queries to remove appRoleAssignments of users or groups to the application.

  1. Get Service Principal using objectID.

    GET /servicePrincipals/{id}
    

    Example:

    GET /servicePrincipals/57443554-98f5-4435-9002-852986eea510
    
  2. Get Azure AD App role assignments using objectID of the Service Principal.

    GET /servicePrincipals/{servicePrincipal-id}/appRoleAssignedTo
    
  3. Revoke refresh token for users and groups assigned to the application using appRoleAssignment ID.

    DELETE /servicePrincipals/{servicePrincipal-id}/appRoleAssignedTo/{appRoleAssignment-id}
    

Note

Revoking the current granted permission won't stop users from re-consenting to the application. If you want to block users from consenting, read Configure how users consent to applications.

Next steps