I have one Azure Ad app where I added permissions using Add-AzADAppPermission

To grant admin consent to these, I used CLI commands here

az login
az ad app permission admin-consent --id <application-id>

I can see admin consent is granted for these permissions in Portal:

But I want to remove this consent now from PowerShell.

Is there any command like Revoke-AzADPermissionGrant to achieve that?

I can do this from Portal, but I want it from PowerShell or CLI or Graph query.

Can anyone please shed light on this?

CodePudding user response：

To revoke admin_consent granted for Azure AD application permissions, you can make use of below Graph API query:

DELETE https://graph.microsoft.com/v1.0/oauth2PermissionGrants/<id>

To get the <id>, you can run this query by filtering it with Service Principal ObjectID.

GET https://graph.microsoft.com/v1.0/oauth2PermissionGrants/?$filter=clientId eq 'SP ObjectID'

I tried to reproduce the same in my environment and got the below results:

I created one Azure AD application and granted same API permissions like this:

You can get SP ObjectID of the above application like below:

Go to Azure Portal -> Azure AD -> Enterprise Applications -> Your App -> Overview

I ran the below query to get <id> by including filter like this:

GET https://graph.microsoft.com/v1.0/oauth2PermissionGrants/?$filter=clientId eq 'SP ObjectID'

Response:

I ran the DELETE query like below, I got the response successfully:

DELETE https://graph.microsoft.com/v1.0/oauth2PermissionGrants/<id>

Response:

When I checked Azure Portal, admin consent got revoked successfully for that application like below:

To do the same from PowerShell, try running below commands:

Connect-MgGraph
Import-Module Microsoft.Graph.Identity.SignIns
Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $Id

Make sure to install Microsoft.Graph module before running those commands.

If not, try using below command to install that module:

Install-Module Microsoft.Graph -Scope CurrentUser