I'm trying to write a powershell script to remove delegated permissions from my app registrations on Azure. I'm able to successfully do this if there is any application type permissions but when trying to remove all delegated permissions from app registrations with application permissions
Eg from this:
"requiredResourceAccess": [
{
"resourceAppId": "00000000-0000-0000-0000-000000000000",
"resourceAccess": [
{
"id": "00000000-0000-0000-0000-000000000000",
"type": "Scope"
}
]
}
],
To this:
"requiredResourceAccess": [],
This doesn't seem to work via powershell using @() but does via the portal.
Here is my powershell script to test this:
Connect-MgGraph -Scopes "Application.ReadWrite.All" -TenantId "XXX"
$dummyPermission = @()
$appId = "XXX" # Define your App ID
$appManifest = Get-MgApplication -ApplicationId $appId
Write-Host "Original RequiredResourceAccess count: $($appManifest.RequiredResourceAccess.Count)" -ForegroundColor Yellow
Update-MgApplication -ApplicationId $appId -RequiredResourceAccess $dummyPermission
$app.RequiredResourceAccess | ConvertTo-Json -Depth 3
I'm trying to write a powershell script to remove delegated permissions from my app registrations on Azure. I'm able to successfully do this if there is any application type permissions but when trying to remove all delegated permissions from app registrations with application permissions
Eg from this:
"requiredResourceAccess": [
{
"resourceAppId": "00000000-0000-0000-0000-000000000000",
"resourceAccess": [
{
"id": "00000000-0000-0000-0000-000000000000",
"type": "Scope"
}
]
}
],
To this:
"requiredResourceAccess": [],
This doesn't seem to work via powershell using @() but does via the portal.
Here is my powershell script to test this:
Connect-MgGraph -Scopes "Application.ReadWrite.All" -TenantId "XXX"
$dummyPermission = @()
$appId = "XXX" # Define your App ID
$appManifest = Get-MgApplication -ApplicationId $appId
Write-Host "Original RequiredResourceAccess count: $($appManifest.RequiredResourceAccess.Count)" -ForegroundColor Yellow
Update-MgApplication -ApplicationId $appId -RequiredResourceAccess $dummyPermission
$app.RequiredResourceAccess | ConvertTo-Json -Depth 3
- 1 Check this learn.microsoft/en-us/answers/questions/695634/… – Rukmini Commented Mar 17 at 10:59
- I've seen this thread and I've managed to revoke admin consent using the powershell script shown. There is no microsoft graph command to remove permissions I know that much, which is why I decided to use powershell to edit the app registration manifest by directly changing the json. Through that I've managed to remove Scope type API permissions (if there are Role type permissions existing as well) so there was some hope. I assumed I was missing something with using powershell using $null or @() to set an empty array. – jammyjoe Commented Mar 17 at 15:26
- 1 Use Microsoft Graph API it is possible are you okay using Microsoft Graph API to update manifest? – Rukmini Commented Mar 17 at 15:27
1 Answer
Reset to default 1Note: There is no direct PowerShell command to set requiredResourceAccess as null.
Hence you can make use of Microsoft Graph API to set requiredResourceAccess as null:
For sample, I added application and delegated API permissions:
First you need to revoke admin consent granted to the permissions:
Make use of below query:
PATCH https://graph.microsoft/v1.0/applications/ObjectID
{
"requiredResourceAccess": []
}
Now when I refresh the Portal the API permissions are removed and manifest is set as requiredResourceAccess : []
Alternatively, you can also make use of below PowerShell script:
Connect-MgGraph -Scopes "Application.ReadWrite.All"
$uri = "https://graph.microsoft/v1.0/applications/ObjectID"
$body = @{
requiredResourceAccess = @()
} | ConvertTo-Json -Depth 3
Invoke-MgGraphRequest -Method PATCH -Uri $uri -Body $body -ContentType "application/json"
Reference:
Graph API - Can you remove all permissions from your own app via api call? - Microsoft Q&A by JanardhanaVedham-MSFT