Posts Tags Categories About me

Contents

Remove user consent for Graph Explorer or Command Line Tools

How to revoke the Microsoft Graph permissions that a user has granted

 included in Microsoft 365 Microsoft Entra Cybersecurity Scripting
   344 words   2 minutes 
/posts/remove-user-consent-for-microsoft-graph-explorer-or-command-line-tools/featured-image.jpg

Microsoft provides several ways to interact with the Microsoft Graph API, as outlined in their SDK overview. While many of these methods are designed for software developers, administrators often interact with the API through the Microsoft Graph Command Line Tools for scripting, or the Graph Explorer for learning and investigating the API.

These tools use a method known as user-delegated authorization, where a cloud application provided by Microsoft acts as an intermediary between the user’s account and the Microsoft Graph API. This method requires the user to grant permissions to the application to act on their behalf, separate from their assigned role permissions in Microsoft Entra.

How to Revoke User-Delegated Authorization

Currently, the Microsoft Entra or Microsoft Azure portals do not support the revocation of permissions once they have been granted to an application like the Microsoft Graph Command Line Tools or Graph Explorer. While these permissions can be viewed, there is no option to remove them.

The Graph Explorer does offer some capabilities to revoke consent, but this requires additional permissions (Directory.Read.All and DelegatedPermissionGrant.ReadWrite.All) that may not be available to all users.

To manage user consents for the Microsoft Graph Command Line Tools and Graph Explorer, one must use the Microsoft Graph API itself.

To simplify the process of resetting a user’s consents, I’ve developed a PowerShell script. This script connects to the Graph API, provides guidance on missing permissions, and offers an interactive guide through the process.

Please note that this script still requires elevated administrative privileges. However, it significantly simplifies the task for administrators.

Required roles in Microsoft Entra:

Required Graph scopes:

  • AppRoleAssignment.ReadWrite.All
  • Directory.Read.All
  • DelegatedPermissionGrant.ReadWrite.All

Feel free to use this script to remove user consent, either all at once or selectively. You can even clean up all authorizations for all users at once, or just remove individual authorizations for all users.

As always, the source code can be found as a Gist snippet on GitHub:

Updated on 2024-05-11  8571c65
 Microsoft Graph APIPowerShellUser ConsentAuthorization
Back | Home