Review permissions granted to enterprise applications

In this article, you learn how to review permissions granted to applications in your Azure Active Directory (Azure AD) tenant. You may need to review permissions when you've detected a malicious application or the application has been granted more permissions than is necessary. You learn how to revoke permissions granted to the application using Microsoft Graph API and existing versions of PowerShell.

The steps in this article apply to all applications that were added to your Azure AD tenant via user or admin consent. For more information on consenting to applications, see User and admin consent.

Prerequisites

To review permissions granted to applications, you need:

• An Azure account with an active subscription. Create an account for free.
• One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator.
• A Service principal owner who isn't an administrator is able to invalidate refresh tokens.

Review permissions

You can access the Azure portal to get contextual PowerShell scripts to perform the actions.

To review application permissions:

1. Sign in to the Azure portal using one of the roles listed in the prerequisites section.
2. Select Azure Active Directory, and then select Enterprise applications.
3. Select the application that you want to restrict access to.
4. Select Permissions. In the command bar, select Review permissions.
5. Give a reason for why you want to review permissions for the application by selecting any of the options listed after the question, Why do you want to review permissions for this application?

Each option generates PowerShell scripts that enable you to control user access to the application and to review permissions granted to the application. For information about how to control user access to an application, see How to remove a user's access to an application

Review and revoke permissions

Use the following Azure AD PowerShell script to revoke all permissions granted to an application.

Connect-AzureAD 

# Get Service Principal using objectId
$sp = Get-AzureADServicePrincipal -ObjectId "<ServicePrincipal objectID>"

# Get all delegated permissions for the service principal
$spOAuth2PermissionsGrants = Get-AzureADOAuth2PermissionGrant -All $true| Where-Object { $_.clientId -eq $sp.ObjectId }

# Remove all delegated permissions
$spOAuth2PermissionsGrants | ForEach-Object {
    Remove-AzureADOAuth2PermissionGrant -ObjectId $_.ObjectId
}

# Get all application permissions for the service principal
$spApplicationPermissions = Get-AzureADServiceAppRoleAssignedTo-ObjectId $sp.ObjectId -All $true | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }

# Remove all application permissions
$spApplicationPermissions | ForEach-Object {
    Remove-AzureADServiceAppRoleAssignment -ObjectId $_.PrincipalId -AppRoleAssignmentId $_.objectId
}

Invalidate the refresh tokens

Remove appRoleAssignments for users or groups to the application using the following scripts.

Connect-AzureAD

# Get Service Principal using objectId
$sp = Get-AzureADServicePrincipal -ObjectId "<ServicePrincipal objectID>"

# Get Azure AD App role assignments using objectID of the Service Principal
$assignments = Get-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -All $true | Where-Object {$_.PrincipalType -eq "User"}

# Revoke refresh token for all users assigned to the application
$assignments | ForEach-Object {
    Revoke-AzureADUserAllRefreshToken -ObjectId $_.PrincipalId
}

Review and revoke permissions

Use the following Microsoft Graph PowerShell script to revoke all permissions granted to an application.

Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "DelegatedPermissionGrant.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"

# Get Service Principal using objectId
$sp = Get-MgServicePrincipal -ServicePrincipalID "$ServicePrincipalID"

Example: Get-MgServicePrincipal -ServicePrincipalId '22c1770d-30df-49e7-a763-f39d2ef9b369'

# Get all delegated permissions for the service principal
$spOAuth2PermissionsGrants= Get-MgOauth2PermissionGrant -All| Where-Object { $_.clientId -eq $sp.Id }

# Remove all delegated permissions
$spOauth2PermissionsGrants |ForEach-Object {
  Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $_.Id
  }

# Get all application permissions for the service principal
$spApplicationPermissions = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $Sp.Id -All | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }

# Remove all application permissions
$spApplicationPermissions | ForEach-Object {
Remove-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $Sp.Id  -AppRoleAssignmentId $_.Id
 }

Invalidate the refresh tokens

Remove appRoleAssignments for users or groups to the application using the following scripts.

Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"

# Get Service Principal using objectId
$sp = Get-MgServicePrincipal -ServicePrincipalID "$ServicePrincipalID"

Example: Get-MgServicePrincipal -ServicePrincipalId '22c1770d-30df-49e7-a763-f39d2ef9b369'

# Get Azure AD App role assignments using objectID of the Service Principal
$spApplicationPermissions = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalID $sp.Id -All | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }

# Revoke refresh token for all users assigned to the application
  $spApplicationPermissions | ForEach-Object {
  Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $_.PrincipalId -AppRoleAssignmentId $_.Id
  }

Review and revoke permissions

To review permissions, Sign in to Graph Explorer with one of the roles listed in the prerequisite section.

You need to consent to the following permissions:

Application.ReadWrite.All, Directory.ReadWrite.All, DelegatedPermissionGrant.ReadWrite.All, AppRoleAssignment.ReadWrite.All.

Delegated permissions

Run the following queries to review delegated permissions granted to an application.

1. Get Service Principal using objectID

   GET /servicePrincipals/{id}
   

   Example:

   GET /servicePrincipals/57443554-98f5-4435-9002-852986eea510
   

2. Get all delegated permissions for the service principal

   GET /servicePrincipals/{id}/oauth2PermissionGrants
   

3. Remove delegated permissions using oAuth2PermissionGrants ID.

   DELETE /oAuth2PermissionGrants/{id}
   

Application permissions

Run the following queries to review application permissions granted to an application.

1. Get all application permissions for the service principal

   GET /servicePrincipals/{servicePrincipal-id}/appRoleAssignments
   

2. Remove application permissions using appRoleAssignment ID

   DELETE /servicePrincipals/{resource-servicePrincipal-id}/appRoleAssignedTo/{appRoleAssignment-id}
   

Invalidate the refresh tokens

Run the following queries to remove appRoleAssignments of users or groups to the application.

1. Get Service Principal using objectID.

   GET /servicePrincipals/{id}
   

   Example:

   GET /servicePrincipals/57443554-98f5-4435-9002-852986eea510
   

2. Get Azure AD App role assignments using objectID of the Service Principal.

   GET /servicePrincipals/{servicePrincipal-id}/appRoleAssignedTo
   

3. Revoke refresh token for users and groups assigned to the application using appRoleAssignment ID.

   DELETE /servicePrincipals/{servicePrincipal-id}/appRoleAssignedTo/{appRoleAssignment-id}
   

Note

Revoking the current granted permission won't stop users from re-consenting to the application. If you want to block users from consenting, read Configure how users consent to applications.

Next steps

• Configure user consent setting
• Configure admin consent workflow