Forum Discussion
Revoke all Graph write permission for an Enterprise Application in Azure AD
Hello, I have a enterprise application registered in my tenant which is having delegated permission consented by Global Admin(Me). I have below permission for enterprise App Graph: User.Read...
Hello mikhailf ,
Thanks for the help!
I tried executing the command ,following the article it doesn't seems to work for enterprise application.
I am trying to remove scope from Enterprise application for ShareGate Migration tool.
I have ever tried it for Enterprise application?
Pls find below snippet i tried to run
$ShareGateTool= Get-AzureADServicePrincipal | Where-Object {$_.DisplayName -eq "ShareGate migration tool 2.0"}
$ShareGateToolONotes= Get-AzureADOAuth2PermissionGrant | Where-Object {$_.ResourceId -eq $ShareGateTool.ObjectId} | Where-Object {$_.Scope -eq "Notes.ReadWrite.All"}
Remove-AzureADOAuth2PermissionGrant -ObjectId $ShareGateToolONotes.ObjectId
What do you see when you run "Get-AzureADServicePrincipal | Where-Object {$_.DisplayName -eq "ShareGate migration tool 2.0"}" ?
Do you see the permissions you want to remove?
Do you see the permissions you want to remove?
- No , This command only get's the enterprise application service principal object. Please find below
Result: ObjectId AppId DisplayName
-------- ----- -----------
29002c3b-0337-466e-8ab5-c00c5219474f 0f78653b-2b30-47f2-9d09-3c17709f118a ShareGate migration tool 2.0- Correct.
Do you see the list of permissions by running this?
$app = Get-AzureADServicePrincipal | Where-Object {$_.DisplayName -eq "ShareGate migration tool 2.0"}
Get-AzureADOAuth2PermissionGrant | Where-Object {$_.ResourceId -eq $app.ObjectId}- No, The object returned for above command is empty. As Get-AzureADOAuth2PermissionGrant does not have any OAuth2PermissionGrant which matched $app.ObjectId