Review permissions granted to enterprise applications
In this article, you learn how to review permissions granted to applications in your Microsoft Entra tenant. You might need to review permissions when you detect a malicious application, or one that has more permissions than is necessary. You learn how to revoke permissions granted to the application using Microsoft Graph API and existing versions of PowerShell.
The steps in this article apply to all applications that were added to your Microsoft Entra tenant via user or admin consent. For more information on consenting to applications, see User and admin consent.
Prerequisites
To review permissions granted to applications, you need:
- An Azure account with an active subscription. Create an account for free.
- One of the following roles: Cloud Application Administrator, Application Administrator.
- A Service principal owner who isn't an administrator is able to invalidate refresh tokens.
Review and revoke permissions in the Microsoft Entra admin center
Tip
Steps in this article might vary slightly based on the portal you start from.
You can access the Microsoft Entra admin center to view the permissions granted to an app. You can revoke permissions granted by admins for your entire organization, and you can get contextual PowerShell scripts to perform other actions.
For information on how to restore revoked or deleted permissions, see Restore permissions granted to applications.
To review an application's permissions granted for the entire organization or to a specific user or group:
- Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
- Browse to Identity > Applications > Enterprise applications > All applications.
- Select the application that you want to restrict access to.
- Select Permissions.
- To view permissions that apply to your entire organization, select the Admin consent tab. To view permissions granted to a specific user or group, select the User consent tab.
- To view the details of a given permission, select the permission from the list. The Permission Details pane opens.
After reviewing the permissions granted to an application, you can revoke permissions granted by admins for your entire organization.
Note
You can't revoke permissions in the User consent tab using the portal. You can revoke these permissions using Microsoft Graph API calls or PowerShell cmdlets. Go to the PowerShell and Microsoft Graph tabs of this article for more information.
To revoke permissions in the Admin consent tab:
- View the list of permissions in the Admin consent tab.
- Choose the permission you would like to revoke, then select the ... control for that permission.
- Select Revoke permission.
Review and revoke permissions using Azure AD PowerShell
Use the following Azure AD PowerShell script to revoke all permissions granted to an application. You need to sign in as at least a Cloud Application Administrator.
Connect-AzureAD
# Get Service Principal using objectId
$sp = Get-AzureADServicePrincipal -ObjectId "<ServicePrincipal objectID>"
# Get all delegated permissions for the service principal
$spOAuth2PermissionsGrants = Get-AzureADOAuth2PermissionGrant -All $true| Where-Object { $_.clientId -eq $sp.ObjectId }
# Remove all delegated permissions
$spOAuth2PermissionsGrants | ForEach-Object {
Remove-AzureADOAuth2PermissionGrant -ObjectId $_.ObjectId
}
# Get all application permissions for the service principal
$spApplicationPermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId $sp.ObjectId -All $true | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }
# Remove all application permissions
$spApplicationPermissions | ForEach-Object {
Remove-AzureADServiceAppRoleAssignment -ObjectId $_.PrincipalId -AppRoleAssignmentId $_.objectId
}
Invalidate the refresh tokens using Azure AD PowerShell
Remove appRoleAssignments for users or groups to the application using the following scripts.
Connect-AzureAD
# Get Service Principal using objectId
$sp = Get-AzureADServicePrincipal -ObjectId "<ServicePrincipal objectID>"
# Get Azure AD App role assignments using objectID of the Service Principal
$assignments = Get-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -All $true | Where-Object {$_.PrincipalType -eq "User"}
# Revoke refresh token for all users assigned to the application
$assignments | ForEach-Object {
Revoke-AzureADUserAllRefreshToken -ObjectId $_.PrincipalId
}
Review and revoke permissions using Microsoft Graph PowerShell
Use the following Microsoft Graph PowerShell script to revoke all permissions granted to an application. You need to sign in as at least a Cloud Application Administrator.
Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "DelegatedPermissionGrant.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"
# Get Service Principal using objectId
$sp = Get-MgServicePrincipal -ServicePrincipalID "<ServicePrincipal objectID>"
Example: Get-MgServicePrincipal -ServicePrincipalId 'aaaaaaaa-bbbb-cccc-1111-222222222222'
# Get all delegated permissions for the service principal
$spOAuth2PermissionsGrants= Get-MgOauth2PermissionGrant -All| Where-Object { $_.clientId -eq $sp.Id }
# Remove all delegated permissions
$spOauth2PermissionsGrants |ForEach-Object {
Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $_.Id
}
# Get all application permissions for the service principal
$spApplicationPermissions = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $Sp.Id -All | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }
# Remove all application permissions
$spApplicationPermissions | ForEach-Object {
Remove-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $Sp.Id -AppRoleAssignmentId $_.Id
}
Invalidate the refresh tokens using Microsoft Graph PowerShell
Remove appRoleAssignments for users or groups to the application using the following scripts.
Connect-MgGraph -Scopes "Application.ReadWrite.All", "Directory.ReadWrite.All", "AppRoleAssignment.ReadWrite.All"
# Get Service Principal using objectId
$sp = Get-MgServicePrincipal -ServicePrincipalID "<ServicePrincipal objectID>"
Example: Get-MgServicePrincipal -ServicePrincipalId 'aaaaaaaa-bbbb-cccc-1111-222222222222'
# Get Azure AD App role assignments using objectID of the Service Principal
$spApplicationPermissions = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalID $sp.Id -All | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }
# Revoke refresh token for all users assigned to the application
$spApplicationPermissions | ForEach-Object {
Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $_.PrincipalId -AppRoleAssignmentId $_.Id
}
Review and revoke permissions using Microsoft Graph
To review permissions, Sign in to Graph Explorer as at least a Cloud Application Administrator.
You need to consent to the following permissions:
Application.ReadWrite.All
, Directory.ReadWrite.All
, DelegatedPermissionGrant.ReadWrite.All
, AppRoleAssignment.ReadWrite.All
.
Delegated permissions
Run the following queries to review delegated permissions granted to an application.
Get service principal using the object ID.
GET https://graph.microsoft.com/v1.0/servicePrincipals/{id}
Example:
GET https://graph.microsoft.com/v1.0/servicePrincipals/00001111-aaaa-2222-bbbb-3333cccc4444
Get all delegated permissions for the service principal
GET https://graph.microsoft.com/v1.0/servicePrincipals/{id}/oauth2PermissionGrants
Remove delegated permissions using oAuth2PermissionGrants ID.
DELETE https://graph.microsoft.com/v1.0/oAuth2PermissionGrants/{id}
Application permissions
Run the following queries to review application permissions granted to an application.
Get all application permissions for the service principal
GET https://graph.microsoft.com/v1.0/servicePrincipals/{servicePrincipal-id}/appRoleAssignments
Remove application permissions using appRoleAssignment ID
DELETE https://graph.microsoft.com/v1.0/servicePrincipals/{resource-servicePrincipal-id}/appRoleAssignedTo/{appRoleAssignment-id}
Invalidate the refresh tokens using Microsoft Graph
Run the following queries to remove appRoleAssignments of users or groups to the application.
Get Service Principal using objectID.
GET https://graph.microsoft.com/v1.0/servicePrincipals/{id}
Example:
GET https://graph.microsoft.com/v1.0/servicePrincipals/aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb
Get Microsoft Entra App role assignments using objectID of the Service Principal.
GET https://graph.microsoft.com/v1.0/servicePrincipals/{servicePrincipal-id}/appRoleAssignedTo
Revoke refresh token for users and groups assigned to the application using appRoleAssignment ID.
DELETE https://graph.microsoft.com/v1.0/servicePrincipals/{servicePrincipal-id}/appRoleAssignedTo/{appRoleAssignment-id}
Note
Revoking the current granted permission won't stop users from re-consenting to the application's requested permissions. You need to stop the application from requesting the permissions through dynamic consent. If you want to block users from consenting altogether, read Configure how users consent to applications.
Other authorization to consider
Delegated and application permissions aren't the only ways to grant applications and users access to protected resources. Admins should be aware of other authorization systems that might grant access to sensitive information. Examples of various authorization systems at Microsoft include Microsoft Entra built-in roles, Exchange RBAC, and Teams resource-specific consent.