Skip to main content

So you have all these applications (Enterprise applications and App registrations) in Microsoft Entra. But you want to revoke the permissions from an application. It’s possible to remove the admin consent permissions from applications in Microsoft Entra admin center but not the user consent permissions. In this article, you will learn how to remove admin and user consent permissions from the Microsoft Entra application.

Find application permissions in Microsoft Entra

Let’s look at the admin consent and user consent permissions for an application in Microsoft Entra:

  1. Sign in to Microsoft Entra admin center
  2. Expand Identity > Applications
  3. Select Enterprise applications (or App registrations)
  4. Click on All applications
  5. Select the application
Microsoft Entra admin center all applications
  1. Click on Permissions
  2. Select Admin consent
  3. Select Revoke Permission
Microsoft Entra application admin consent revoke permission
  1. Click on the User consent tab
  2. There is no option to Revoke Permission
Microsoft Entra application user consent no option to revoke permission

So we can revoke permissions from applications when it’s granted through admin consent. Unfortunately, it’s impossible to revoke permissions when it’s granted through user consent in Microsoft Entra admin center.

In the next step, we will go through the steps and show how to remove the admin and user consent permissions from an application with PowerShell.

Install Microsoft Graph PowerShell module

Start Windows PowerShell as administrator and  Install Microsoft Graph PowerShell.

Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force

Important: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.

You can use the script below to remove both user and admin consent permissions from the application.

Find the application Object ID in the Overview tab. Next, paste it on line 4.

Connect-MgGraph -Scopes "User.ReadWrite.All", "Application.ReadWrite.All", "DelegatedPermissionGrant.ReadWrite.All"

# Get Service Principal using objectId
$sp = Get-MgServicePrincipal -ServicePrincipalId 453d37f9-20e5-4325-bc00-67d1581a0232

# Get all delegated permissions for the service principal
$spOAuth2PermissionsGrants = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $sp.Id -All

# Remove all delegated permissions
$spOAuth2PermissionsGrants | ForEach-Object {
    Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $_.Id
}

Only remove the admin consent permissions from the application.

Find the application Object ID in the Overview tab. Next, paste it on line 4.

Connect-MgGraph -Scopes "User.ReadWrite.All", "Application.ReadWrite.All", "DelegatedPermissionGrant.ReadWrite.All"

# Get Service Principal using objectId
$sp = Get-MgServicePrincipal -ServicePrincipalId 453d37f9-20e5-4325-bc00-67d1581a0232

# Get all delegated permissions for the service principal
$spOAuth2PermissionsGrants = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $sp.Id -All

# Remove only delegated permissions granted with admin consent
$spOAuth2PermissionsGrants | Where-Object { $_.ConsentType -eq "AllPrincipals" } | ForEach-Object {
    Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $_.Id
}

Only remove the user consent permissions from the application.

Find the application Object ID in the Overview tab. Next, paste it on line 4.

Connect-MgGraph -Scopes "User.ReadWrite.All", "Application.ReadWrite.All", "DelegatedPermissionGrant.ReadWrite.All"

# Get Service Principal using objectId
$sp = Get-MgServicePrincipal -ServicePrincipalId 453d37f9-20e5-4325-bc00-67d1581a0232

# Get all delegated permissions for the service principal
$spOAuth2PermissionsGrants = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $sp.Id -All

# Remove only delegated permissions granted with user consent
$spOAuth2PermissionsGrants | Where-Object { $_.ConsentType -ne "AllPrincipals" } | ForEach-Object {
    Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $_.Id
}

Let’s look at a better way to remove Microsoft Entra applications permissions with a PowerShell script.

Remove Entra ID application permissions with Powershell script

An excellent way to remove the user and admin consent permissions is with the PowerShell script.

Prepare Remove-AppPermissions PowerShell script

Download and place Remove-AppPermissions.ps1 PowerShell script in C:\scripts folder.

Ensure the file is unblocked to prevent errors when running the script.
Another option is to copy and paste the below code into Notepad. Give it the name Remove-AppPermissions.ps1 and place it in the C:\scripts folder.

# Variables
$systemMessageColor = "cyan"
$processMessageColor = "green"
$errorMessageColor = "red"
$warningMessageColor = "yellow"

Write-Host -ForegroundColor $systemMessageColor "Script started`n"
Write-Host "--- Script to delete app permissions from an Entra ID application in a tenant ---"

Write-Host -ForegroundColor $processMessageColor "`nChecking for Microsoft Graph PowerShell module"
if (Get-Module -ListAvailable -Name Microsoft.Graph.Authentication) {
    Write-Host -ForegroundColor $processMessageColor "Microsoft Graph PowerShell module found"
}
else {
    Write-Host -ForegroundColor $warningMessageColor -BackgroundColor $errorMessageColor "Microsoft Graph PowerShell Module not installed. Please install and re-run the script`n"
    Write-Host "You can install the Microsoft Graph PowerShell module by:`n"
    Write-Host "    1. Launching an elevated PowerShell console then,"
    Write-Host "    2. Running the command, 'Install-Module -Name Microsoft.Graph'.`n"
    Pause ## Pause to view error on screen
    exit 0 ## Terminate script
}

Connect-MgGraph -Scopes "User.ReadWrite.All", "Application.ReadWrite.All", "DelegatedPermissionGrant.ReadWrite.All"

$results = Get-MgServicePrincipal -All | Select-Object Id, AppId, DisplayName | Sort-Object DisplayName | Out-GridView -PassThru -Title "Select Application (Multiple selections permitted)"
foreach ($result in $results) {
    # Loop through all selected options
    Write-Host -ForegroundColor $processMessageColor "Commencing", $result.DisplayName
    # Get Service Principal using objectId
    $sp = Get-MgServicePrincipal -All | Where-Object { $_.Id -eq $result.Id }
    # Menu selection for User or Admin consent types
    $consentType = @()
    $consentType += [PSCustomObject]@{ Name = "Admin consent"; Type = "allprincipals" }
    $consentType += [PSCustomObject]@{ Name = "User consent"; Type = "principal" }
    $consentSelects = $consentType | Out-GridView -PassThru -Title "Select Consent type (Multiple selections permitted)"

    foreach ($consentSelect in $consentSelects) {
        # Loop through all selected options
        Write-Host -ForegroundColor $processMessageColor "Commencing for", $consentSelect.Name
        # Get all delegated permissions for the service principal
        $spOAuth2PermissionsGrants = Get-MgOauth2PermissionGrant -All | Where-Object { $_.clientId -eq $sp.Id }
        $info = $spOAuth2PermissionsGrants | Where-Object { $_.consentType -eq $consentSelect.Type }
        
        if ($info) {
            # If there are permissions set
            if ($consentSelect.Type -eq "principal") {
                # User consent
                $usernames = @()
                foreach ($item in $info) {
                    $usernames += Get-MgUser -UserId $item.PrincipalId
                }
                $selectUsers = $usernames | Select-Object Displayname, UserPrincipalName, Id | Sort-Object Displayname | Out-GridView -PassThru -Title "Select Consent type (Multiple selections permitted)"
                foreach ($selectUser in $selectUsers) {
                    # Loop through all selected options
                    $infoScopes = $info | Where-Object { $_.principalId -eq $selectUser.Id }
                    Write-Host -ForegroundColor $processMessageColor "`n"$consentSelect.Name, "permissions for user", $selectUser.Displayname
                    foreach ($infoScope in $infoScopes) {
                        Write-Host "`nResource ID =", $infoScope.ResourceId
                        $assignments = $infoScope.Scope -split " "
                        foreach ($assignment in $assignments) {
                            Write-Host "-", $assignment
                        }
                    }
                    Write-Host -ForegroundColor $processMessageColor "`nSelect items to remove`n"
                    $removes = $infoScopes | Select-Object Scope, ResourceId, Id | Out-GridView -PassThru -Title "Select permissions to delete (Multiple selections permitted)"
                    foreach ($remove in $removes) {
                        Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $remove.Id
                        Write-Host -ForegroundColor $warningMessageColor "Removed consent for", $remove.Scope
                    }
                }
            } 
            elseif ($consentSelect.Type -eq "allprincipals") {
                # Admin consent
                $infoScopes = $info | Where-Object { $_.principalId -eq $null }
                Write-Host -ForegroundColor $processMessageColor $consentSelect.Name, "permissions"
                foreach ($infoScope in $infoScopes) {
                    Write-Host "`nResource ID =", $infoScope.ResourceId
                    $assignments = $infoScope.Scope -split " "
                    foreach ($assignment in $assignments) {
                        Write-Host "-", $assignment
                    }
                }
                Write-Host -ForegroundColor $processMessageColor "`nSelect items to remove`n"
                $removes = $infoScopes | Select-Object Scope, ResourceId, Id | Out-GridView -PassThru -Title "Select permissions to delete (Multiple selections permitted)"
                foreach ($remove in $removes) {
                    Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $remove.Id
                    Write-Host -ForegroundColor $warningMessageColor "Removed consent for", $remove.Scope
                }
            }
        }
        else {
            Write-Host -ForegroundColor $warningMessageColor "`nNo", $consentSelect.Name, "permissions found for" , $results.DisplayName, "`n"
        }
    }
}

Write-Host -ForegroundColor $systemMessageColor "`nScript Finished"

Run Remove-AppPermissions PowerShell script

Run PowerShell as administrator and run the below command to start the Remove-AppPermissions.ps1 PS script.

C:\Scripts\.\Remove-AppPermissions.ps1

A grid view window will display the output in an interactive table. These are all the applications in your Microsoft Entra tenant.

List of all Microsoft Entra applications

Select the application and click OK.

In our example, we will select the Microsoft Graph Command Line Tools app.

Select Entra application

Select the consent type. Multiple selections are permitted.

In our example, we will select both Admin consent and User consent type.

Remove permissions from applications select consent type

Select the users you want to remove the permission from the application and click OK.

In our example, we will select both the users.

Note: If a user has admin consent and user consent permissions, it will prompt you twice in the next step. So you can decide if you only want to remove user consent, admin consent, or both the permissions for the user.

Remove permissions from applications select users

It will go through the admin consented users that you selected. Select the permissions to delete. Click OK.

Remove permissions from application select permissions to revoke

It will go through the user consented users that you selected. Select the permissions to delete. Click OK.

In our example, we only have 1 user and select that.

Remove permissions from application select permissions to delete

The PowerShell script finishes, and in the output, you will see the results.

This is what it looks.

Script started

--- Script to delete app permissions from an Entra ID application in a tenant ---

Checking for Microsoft Graph PowerShell module
Microsoft Graph PowerShell module found
Welcome to Microsoft Graph!

Connected via delegated access using 12d82ffa-202b-4c2f-a7e8-296a70dab67e
Readme: https://aka.ms/graph/sdk/powershell
SDK Docs: https://aka.ms/graph/sdk/powershell/docs
API Docs: https://aka.ms/graph/docs

NOTE: You can use the -NoWelcome parameter to suppress this message.

Commencing Microsoft Graph Command Line Tools
Commencing for User consent

 User consent permissions for user Admin 2

Resource ID = 73d0154b-e490-44fe-9447-fa47ec7fdd7f
-
- User.Read.All
- Group.ReadWrite.All
- Application.ReadWrite.All
- DelegatedPermissionGrant.ReadWrite.All
- openid
- profile
- offline_access

Select items to remove

Removed consent for  User.Read.All Group.ReadWrite.All Application.ReadWrite.All DelegatedPermissionGrant.ReadWrite.All openid profile offline_access

 User consent permissions for user Admin Tajran

Resource ID = 73d0154b-e490-44fe-9447-fa47ec7fdd7f
-
- User.Read.All
- Group.ReadWrite.All
- Application.ReadWrite.All
- DelegatedPermissionGrant.ReadWrite.All
- openid
- profile
- offline_access

Select items to remove

Removed consent for  User.Read.All Group.ReadWrite.All Application.ReadWrite.All DelegatedPermissionGrant.ReadWrite.All openid profile offline_access
Commencing for Admin consent
Admin consent permissions

Resource ID = 73d0154b-e490-44fe-9447-fa47ec7fdd7f
- User.Read

Select items to remove

Removed consent for User.Read

Script Finished

Verify permissions in Entra application

Go to the application permissions and confirm that the admin consent permissions and the user consented permissions are revoked.

This is how it looks for the Admin consented permissions:

No admin consented permission found for the application

This is how it looks for the User consented permissions:

No user consented permission found for the application

That’s it!

Leave a Reply