How to Add or Remove Delegated Consented Permissions Using PowerShell

Managing delegated permissions for applications in Microsoft environments is a critical task for administrators. This guide provides a Microsoft Graph PowerShell script to help you add or remove delegated permissions with greater granularity and control.


Why Modify Delegated Permissions?

Delegated permissions allow an application to act on behalf of a signed-in user. However, there are scenarios where you may need to adjust these permissions:

  • To remove unnecessary or excessive permissions for security purposes.
  • To add new permissions required for application functionality.
  • To troubleshoot issues with API access.

Note: The script provided here gives fine-grained control over permissions and is ideal for advanced scenarios.


PowerShell Script: Add or Remove Delegated Permissions

Here’s the full PowerShell script to manage delegated permissions:

Configuration Section

# CONFIGURATION

# Application ID of app
$appId= "YOUR_APP_ID"

# Uncomment below line if you want to modify user consent
# $UserId = user@contoso.com

# Microsoft Graph App ID (DO NOT CHANGE)
# AAD Graph App Id: "00000002-0000-0000-c000-000000000000"
# MS Graph App Id: "00000003-0000-0000-c000-000000000000"
$resourceId= "00000003-0000-0000-c000-000000000000"

# Delegated Permissions you want on this service principal
$AddPermissions = @(
    "User.Read"
)

$RemovePermissions = @(
    "Mail.Send",
    "Group.ReadWrite.All"
)

Main Script

# Connect to Microsoft Graph PowerShell
Connect-MgGraph -Scopes "Directory.Read.All DelegatedPermissionGrant.ReadWrite.All"

$appPrincipal = Get-MgServicePrincipal -Filter "appId eq '$($appId)'"
$ResourceServicePrincipal = Get-MgServicePrincipal -Filter "appId eq '$($resourceId)'"
$UserPrincipal = Get-MgUser -UserId $UserId

# Find grant if one already exists
if($UserId) {
    $grants = Get-MgOauth2PermissionGrant -Filter "clientId eq '$($appPrincipal.id)' and resourceId eq '$($ResourceServicePrincipal.id)' and principalId eq '$($UserPrincipal.id)'"
} else {
    $grants = Get-MgOauth2PermissionGrant -Filter "clientId eq '$($appPrincipal.id)' and resourceId eq '$($ResourceServicePrincipal.id)'"
}

# Update existing grant
$RemovePermissions += $AddPermissions
foreach($grant in $grants) {
    # Remove permissions from grant
    foreach($permission in $RemovePermissions) {
        Write-Host "Removing: $($permission)"
        # Remove permission from grant
        $grant.scope = $grant.scope.Replace($permission, "")
    }

    # Add permissions to grant
    foreach($permission in $AddPermissions) {
        $grant.scope += $permission + " "
    }

    # Update existing Grant
    Update-MgOauth2PermissionGrant -Oauth2PermissionGrantId $grant.id -Scope $grant.scope.Trim()
}

# Create grant if none exists
if(!$grants) {
    $ScopeString = $AddPermissions -join " "
    if($UserId) {
        New-MgOauth2PermissionGrant -ClientId $appPrincipal.id -ResourceId $ResourceServicePrincipal.id -Scope $ScopeString -ConsentType Principal -PrincipalId $UserPrincipal.id
    } else {
        New-MgOauth2PermissionGrant -ClientId $appPrincipal.id -ResourceId $ResourceServicePrincipal.id -Scope $ScopeString -ConsentType AllPrincipals
    }
}

Key Notes for Administrators

  1. Pre-requisites:
    • Install the latest version of the Microsoft Graph PowerShell SDK.
    • Ensure you have the required permissions to manage delegated permissions (Directory.Read.All and DelegatedPermissionGrant.ReadWrite.All).
  2. Customizing the Script:
    • Replace YOUR_APP_ID with the Application ID of the app you want to manage.
    • Modify $AddPermissions and $RemovePermissions arrays to include the permissions you wish to add or remove.
  3. User vs. Application Permissions:
    • If modifying permissions for a specific user, uncomment and set $UserId to the user’s email address.
    • If managing permissions for all users, leave $UserId commented out.
  4. Testing the Script:
    • Before running the script in production, test it in a non-production environment to ensure it works as expected.

Example Use Cases

  • Adding Permissions: Add User.Read to allow the app to access basic user profile information.
  • Removing Permissions: Remove Mail.Send to prevent the app from sending emails on behalf of users.
  • Granular Control: Combine adding and removing permissions in one script for efficient management.

Leave a Comment