Permissions assigned to applications in Microsoft Entra may not always be permanent. They may have been granted temporarily to facilitate the use of tools such as Microsoft Graph PowerShell, or to integrate your tenant with 3rd party system to support reporting or migrations. Changes in requirements may also lead to permissions needing to be reduced.
Whatever the reason, permissions which are no longer required should be revoked…
In this tutorial, I am going to show you how to revoke previously granted API permissions on applications in Microsoft Entra using Microsoft Graph PowerShell and the Microsoft Enter admin center.
Why Revoke Graph API permissions?
Over time, Microsoft Graph API permissions on Service Principals can build up to a point where they have more rights than they actually need. This is more common now with the adoption of new tools such as Microsoft Graph PowerShell, which utilises the functionality of Service Principals to function, unlike it predecessors, the Azure AD and MSOL PowerShell modules.
For these permissions to be assigned to applications, consent must be granted by a user with the Global Administrator or Privileged User Administrator role. Now, when it comes to built-in service principals such as the Microsoft Graph Command Line Tools app or the Graph Explorer app, set permissions are not always that easy to define in advance. The tasks needing to be performed by an administrator can change daily, including the need for additional permissions for the programmatic management of Microsoft Entra resources.
This problem makes it easy for these built-in service principals to quickly become overprivileged, which can present an issue in scenarios where users in privileged roles may need access to Administrator portals to run reports (where Conditional Access can be applied), but shouldn’t have programmatic access.
Unfortunately, it is not possible to target these built-in Service Principals with Conditional Access, which poses the question, of what happens if a privileged user is compromised (in any way shape or form) and access is had outside of approved locations. Programmatic access by an attacker can be easily abused if other security measures are not put in place.
With this in mind, it is a good practice to ensure that built-in Service Principals are not granted critical permissions for longer than they are needed.
Revoke API permissions using the Microsoft Entra Portal
The Microsoft Entra portal is a simple and convenient tool to quickly remove singular or multiple permissions from an Application. To revoke Graph API permissions from a Service Principal in Microsoft Entra, follow the below steps:
2. Select Applications > Enterprise Applications
3. Select the application from the list
4. Under Security on the left, select Permissions
5. Hover of the right of the permission you wish to revoke and click Revoke permission
Revoke API permissions using Microsoft Graph PowerShell
Microsoft Graph PowerShell provides a more convenient way to revoke previously consented to a Service Principal in Microsoft Entra. This means you can revoke multiple permissions at once and revoke permission more often, more conveniently.
To revoke API permissions from a Service Principal you will need to have already consented to the DelegatedPermissionGrant.ReadWrite.All permission.
Connect-MgGraph -scopes DelegatedPermissionGrant.ReadWrite.All
To get and store all permissions that have been consented to the application you are connected to in your current PowerShell session, run the following commands. This uses the Get-MgContext cmdlet to find the ID of the service principal you are currently connected to.
$Context = Get-MgContext
$ObjectId = (Get-MgServicePrincipal -All -Filter "AppId eq '$($context.clientid)'").Id
$PermissionsGrants = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $ObjectId -All
Now use the Remove-MgOauthPermissionGrant cmdlet to revoke the permissions:
$PermissionsGrants | ForEach-Object {
Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $_.Id
}
Remove/revoke API permissions from a different application
You may want to automate a process in which permissions are automatically revoked from high-use service principals, such as the built-in Microsoft Graph Command Line Tools service principal or other custom apps to which many users may connect and/or frequently consent permissions to.
For you this can follow the same concept as above, however you will need to identify the ObjectId of your desired ServicePrincipal first. This can be achieved using the Get-MgServicePrincipal cmdlet with a filter that targets the friendly name of your application:
$id = (Get-MgServicePrincipal -Filter "DisplayName eq 'Graph Application - IT'").id
Here is the full example to remove API permissions from a different application:
Connect-MgGraph -scopes application.read.all DelegatedPermissionGrant.ReadWrite.All
$id = (Get-MgServicePrincipal -Filter "DisplayName eq 'Graph Application - IT'").id
$PermGrants = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $id -All
$PermGrants | ForEach-Object {
Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $_.Id
}