Calls for powershell script to remove Delegated API Permissions from app registrations
I've written a powershell script that essentially goes through app registrations and removes all delegated permissions from them.
Currently I'm using a PATCH request to microsoft graph to set API permissions/requiredResourceAccess (as found here) to be an empty array if there are only delegated api permissions. However if there are application api permissions I'm using an Update-MgApplication command to replace the permissions with only the existing application api permissions.
This is because I was having errors trying to set the body of a PATCH request to be the remaining application api permissions.
I wanted to know if there was a more efficient way to write this script that made use of the correct calls whether it be Microsoft graph or MG powershell commands.
function main {
$TenantId = "XXX"
$Parameters = @{
TenantId = $TenantId
}
Remove-ManifestPermissions @Parameters
}
function Remove-ManifestPermissions
{
[CmdletBinding()]
param (
[Parameter(Mandatory)]
[Guid]
$TenantId
)
$requiredScopes = @(
"Application.ReadWrite.All",
"DelegatedPermissionGrant.ReadWrite.All"
)
$null = Connect-MgGraph -Scopes $requiredScopes -TenantId $TenantId
$apps = Get-MgApplication -All
foreach ($app in $apps)
{
Write-Host "Reviewing App: $( $app.DisplayName )"
# Get the service principal associated with the app
$servicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '$($app.AppId)'"
$apiPermissions = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipal $servicePrincipal.Id
foreach ($perm in $apiPermissions)
{
# Remove Admin Access Grant
Write-Host " - Revoking admin consent from API permissions..."
Remove-MgOauth2PermissionGrant -Oauth2PermissionGrantId $perm.Id
}
$appManifest = Get-MgApplication -ApplicationId $app.Id
if ($appManifest.RequiredResourceAccess[0].ResourceAccess) #$appManifest.RequiredResourceAccess.Count gt- 0
{
Write-Host "Processing ResourceAppId: $( $app.DisplayName ) with $( $appManifest.RequiredResourceAccess[0].ResourceAccess.Count ) API Permissions."
$appManifest.RequiredResourceAccess[0].ResourceAccess = $appManifest.RequiredResourceAccess[0].ResourceAccess | Where-Object { $_.Type -eq 'Role' }
if ($appManifest.RequiredResourceAccess[0].ResourceAccess.Count -gt 0)
{
Update-MgApplication -ApplicationId $app.Id -RequiredResourceAccess $appManifest.RequiredResourceAccess
Write-Host "$( $app.DisplayName ) has $( $appManifest.RequiredResourceAccess[0].ResourceAccess.Count ) API Permission(s) remaining."
}
# If all API Permissions are delegated permissions, remove the RequiredResourceAccess entry
elseif ($appManifest.RequiredResourceAccess[0].ResourceAccess.Count -eq 0)
{
$uri = "https://graph.microsoft.com/v1.0/applications/$($app.Id)"
$body = @{
requiredResourceAccess = @()
} | ConvertTo-Json -Depth 3
Invoke-MgGraphRequest -Method PATCH -Uri $uri -Body $body -ContentType "application/json"
}
# Update the manifest if there are role type API permissions
Write-Host "No Delegated Permissions remain for $( $app.DisplayName )"
}
else
{
Write-Host "No API Permissions found for $( $app.DisplayName )"
}
}
Disconnect-MgGraph | Out-Null
}
main
Solution
I agree with @Santiago Squarzon, Instead of querying the application again (Get-MgApplication -ApplicationId $app.Id), we simply use $app.RequiredResourceAccess directly within the loop. Since $app already contains this data (from Get-MgApplication -All), there's no need to retrieve it again:
For sample, I have API permissions like below:
function main {
$TenantId = "TenantID"
$Parameters = @{
TenantId = $TenantId
}
Remove-ManifestPermissions @Parameters
}
function Remove-ManifestPermissions
{
[CmdletBinding()]
param (
[Parameter(Mandatory)]
[Guid]
$TenantId
)
$requiredScopes = @(
"Application.ReadWrite.All",
"DelegatedPermissionGrant.ReadWrite.All"
)
# Connect to Microsoft Graph
$null = Connect-MgGraph -Scopes $requiredScopes -TenantId $TenantId
# Get all apps
$apps = Get-MgApplication -All
foreach ($app in $apps)
{
Write-Host "Reviewing App: $($app.DisplayName)"
# Get the service principal associated with the app
$servicePrincipal = Get-MgServicePrincipal -Filter "AppId eq '$($app.AppId)'"
$apiPermissions = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipal $servicePrincipal.Id
foreach ($perm in $apiPermissions)
{
# Remove Admin Access Grant
Write-Host " - Revoking admin consent from API permissions..."
Remove-MgOauth2PermissionGrant -Oauth2PermissionGrantId $perm.Id
}
# Now directly use the app's RequiredResourceAccess property
if ($app.RequiredResourceAccess.Count -gt 0)
{
$resourceAccess = $app.RequiredResourceAccess[0].ResourceAccess
Write-Host "Processing ResourceAppId: $($app.DisplayName) with $($resourceAccess.Count) API Permissions."
# Only keep role-based permissions (remove delegated permissions)
$resourceAccess = $resourceAccess | Where-Object { $_.Type -eq 'Role' }
if ($resourceAccess.Count -gt 0)
{
# Update the app manifest with remaining application permissions
$app.RequiredResourceAccess[0].ResourceAccess = $resourceAccess
Update-MgApplication -ApplicationId $app.Id -RequiredResourceAccess $app.RequiredResourceAccess
Write-Host "$($app.DisplayName) has $($resourceAccess.Count) API Permission(s) remaining."
}
elseif ($resourceAccess.Count -eq 0)
{
# If no role-based permissions remain, remove the RequiredResourceAccess entry
$uri = "https://graph.microsoft.com/v1.0/applications/$($app.Id)"
$body = @{
requiredResourceAccess = @()
} | ConvertTo-Json -Depth 3
Invoke-MgGraphRequest -Method PATCH -Uri $uri -Body $body -ContentType "application/json"
Write-Host "All API permissions removed for $($app.DisplayName)."
}
}
else
{
Write-Host "No API Permissions found for $($app.DisplayName)"
}
}
# Disconnect from Microsoft Graph
Disconnect-MgGraph | Out-Null
}
main
The delegated API permissions revoked and removed successfully:
- "Schema" property not found in Postgres Connector
- Downloading file from Azure blob storage via Memory Stream
- Reading env variable from template.yaml
- HTTP Error 500.30 - ASP.NET Core app failed to start - Azure
- Azure DevOps Pipelines: TerraformTaskV4: init with different subscription and Workflow Identity Federation
- Enabling HTTPS for a Azure blob static website
- How to search across many Azure Devops Git project and find all files which contain specific text AND which filename contains "Resource"
- Hosting SPA with Static Website option on Azure Blob Storage (clean URLs and Deep links)
- Using Managed Identity to Access Azure OpenAI Service
- Azure data factory not loading
- Transfer encrypted dataprotection keys from a windows vm to azure keyvault
- Refresh powerBI data with additional column
- Azure Application Insights AKS - How to Create 1 custom alert rule which will trigger multiple alerts, but with different names (per pod name)?
- gRPC and REST side by side in Azure App Service, Linux Container
- Connecting to a SignalR WSS stream but not getting the response i am looking for
- SignalR prevent user from opening multiple sessions in different tabs
- Application Insights -_logger.LogInformation
- CosmosDB is not allowing serverless capabalities to NoSQL, it says I must use CapacityMode
- Azure Webapp / Website Swap : HTTP Ping Error
- Microsoft Graph API - Update phoneMethods is no longer working
- Use Azure Key Vault secret in Header section of Web Activity
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How do I save and later load Azure AnalyzeResult object in python?
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure ADF - HTTP : Table from list
- Self hosted azure devops build agent not getting tool from $PATH
- Azure devops pipeline stages template nesting
- Azure APIM is returning the incorrect HTTP response error when call is missing mandatory querystring parameter
- Azure DevOps build pipeline logid for a specific task - dynamically
- PS script to fetch the list non-compliance resource list with respect to policy from multiple subscriptions