I have one Azure Ad app where I added permissions using Add-AzADAppPermission
To grant admin consent to these, I used CLI commands here
az login
az ad app permission admin-consent --id <application-id>
I can see admin consent is granted for these permissions in Portal:
But I want to remove this consent now from PowerShell.
Is there any command like Revoke-AzADPermissionGrant to achieve that?
I can do this from Portal, but I want it from PowerShell or CLI or Graph query.
Can anyone please shed light on this?
To revoke admin_consent granted for Azure AD application permissions, you can make use of below Graph API query:
DELETE https://graph.microsoft.com/v1.0/oauth2PermissionGrants/<id>
To get the <id>, you can run this query by filtering it with Service Principal ObjectID.
GET https://graph.microsoft.com/v1.0/oauth2PermissionGrants/?$filter=clientId eq 'SP ObjectID'
I tried to reproduce the same in my environment and got the below results:
I created one Azure AD application and granted same API permissions like this:
You can get SP ObjectID of the above application like below:
Go to Azure Portal -> Azure AD -> Enterprise Applications -> Your App -> Overview
I ran the below query to get <id> by including filter like this:
GET https://graph.microsoft.com/v1.0/oauth2PermissionGrants/?$filter=clientId eq 'SP ObjectID'
Response:
I ran the DELETE query like below, I got the response successfully:
DELETE https://graph.microsoft.com/v1.0/oauth2PermissionGrants/<id>
Response:
When I checked Azure Portal, admin consent got revoked successfully for that application like below:
To do the same from PowerShell, try running below commands:
Connect-MgGraph
Import-Module Microsoft.Graph.Identity.SignIns
Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $Id
Make sure to install Microsoft.Graph module before running those commands.
If not, try using below command to install that module:
Install-Module Microsoft.Graph -Scope CurrentUser
Related
I am new to the Microsoft Graph PowerShell SDK.
The commands below all launch a browser tab where I am prompted to login.
I login with my Microsoft account which has these roles:
SharePoint Administrator
Global Reader
Power Platform Administrator
The account is also specified as an Admin of the global term store taxonomy.
In order to list all sites in a tenant (List sites), I try to connect with:
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All", "Sites.Read.All", "Sites.ReadWrite.All"
In order to export term store taxonomy (Get store), I try to connect with:
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All", "TermStore.Read.All", "TermStore.ReadWrite.All"
In both these instance, after logging in with my admin account, I am getting the error shown below in the browser:
Need admin approval
unverified
needs permission to access resources in your organization that only an admin can grant.
Please ask an admin to grant permission to this app before you can use it
I do not get this error when connecting with the following:
Connect-MgGraph -Scopes "User.Read.All", "Group.ReadWrite.All"
Troubleshooting
Perhaps the research below can shed some light on an answer as to why this is happening and how to resolve it?
If I look at the docs for the Graph API endpoints I am wanting to query, I can see the Permissions are as follows:
List sites
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
Not supported.
Delegated (personal Microsoft account)
Not supported.
Application
Sites.Read.All, Sites.ReadWrite.All
Get store
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
TermStore.Read.All, TermStore.ReadWrite.All
Delegated (personal Microsoft account)
Not supported.
Application
Not supported.
How do these permissions relate to using the Graph PowerShell SDK?
Per the quote below from the official docs, I believe using the SDK as I have above is considered delegated access?
The PowerShell SDK supports two types of authentication: delegated
access, and app-only access. In this guide, you'll use delegated
access to sign in as a user, grant consent to the SDK to act on your
behalf, and call the Microsoft Graph.
So I guess my scenario is Delegated (work or school account)?
Questions
01) If so, does that mean I cannot make any request where the API docs define the Permissions as:
Permission type
Permissions (from least to most privileged)
Delegated (work or school account)
Not supported.
02) If that is the case, does that mean that the Microsoft Graph PowerShell SDK is not a good tool for administering SharePoint Online (because, according to the API reference docs, many of the endpoints are 'not supported' by a Delegated (work or school account))?
Thanks for reaching out to us , this looks like you are not using your admin account, please cross check the account you are logging in PowerShell. please follow below steps .
Try to disconnect your previous account from PowerShell (use command Disconnect-MgGraph)
Then try connect with your account ,use Connect-MgGraph
You will get a pop up , select the account in which you are the admin.
Then run the command and try again
Edited :
Agree with scottwtang comments ,If you are using the correct account make sure admin consent requests are Enabled in your tenant , you can check by following the below steps and ask your Global Administrator to grant admin consent
To check the admin consent workflow and choose reviewers:
Sign in to the Azure portal with one of the roles listed in the
prerequisites.
Search for and select Azure Active Directory.
Select Enterprise applications.
Under Manage, select User settings. Under Admin consent requests,
select Yes for Users can request admin consent to apps they are
unable to consent to . Configure admin consent workflow settings
ref doc - https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow
Hope this help ,
Thanks
I am connecting to Az using Powershell:
Connect-AzureAd
Then, i am trying execute command:
Get-AzRoleAssignment -ResourceGroupName 'devtest' -ResourceName 'SA-name' -ResourceType 'Microsoft.Storage/storageAccounts'
And eveything work fine, i am getting results. with -Debug flag i see, that Az executing API method:
POST https://graph.microsoft.com/v1.0/directoryObjects/microsoft.graph.getByIds
Then, i go to Graph Explorer and i try to execute the same method from there with the same account that i logged into Az and i getting an authorization error from call:
When i check, what kind of privilage i need to for perform this action i can see that there is no way that my account have Directory.Read.All permission granted.
So the question is, why i am allowed to do more actions from Powershell tha graph using same account?
Pls allow me post it as the answer first for a better desription.
Based on the Error tip on the top of your screenshoot, if you've consent all the permissions in that tab?
By the way, is the azure ad application you used to generate access token in powershell the same as the application for graph explorer? When I decode the access token generated by graph explorer, I found it's generated by app named Graph explorer (official site). I think it may lead to your issue.
I am the owner of an Azure AD registered application, and I need to run the command Add-AzureADServicePrincipalPolicy from AzureAdPreview Module (Powershell).
Running the command throws back the following error:
For the moment, the registered app has only the following rights in "API permissions":
Tell, me please, which rights that command demands in order to be successful, as I might need to ask an admin if they require Admin consent?
Or can it be my user's fault that it doesn't have enough rights?
You Need to have Azure AD's RBAC administrator roles to the user when authenticating with Connect-AzureAD,
For Example :- Any of the Application administrator,Global Administrator, ..etc is required.
Since, your account doesn't have permission you will return an error message containing "Insufficient privileges to complete the operation." Contact your Azure AD admin to grant you the required roles.
Reference here.
I'm trying to create a new Azure AD user via PowerShell.
I created a global admin in the portal:
I run Connect-MsolService without any issues.
However, running New-MsolUser -UserPrincipalName ... fails with insufficient permissions:
Any idea what is the issue?
If the login account for Connect-MsolService doesn't have sufficient permissions, for example, the account only has common user permissions, you might encounter the insufficient permissions problem.
However, if you create an account with Global administrator privileges in either new portal or classic portal, and use this account for login with Connect-MsolService, then you can create a new user by using the command 'New-MsolUser' successfully. Also, please note for the parameter '-UserPrincipalName', you must use the initial domain name for suffix, i.e. 'xxxxxx.onmicrosoft.com', or the customized domain verified in AzureAD.
Currently, there are two PowerShell modules for Azure AD: AzureAD and MSOnline.
MSOnline is the old module, which can still provide functionality that is not yet available in the AzureAD module. In future, the older MSOnline module will be deprecated when all of the functionality has been migrated to the newer module - AzureAD.
Therefore, it's encouraged to use the newer AzureAD module.
More details about Azure AD PowerShell, please refer to the following documentation.
https://learn.microsoft.com/en-us/powershell/azure/overview?view=azureadps-2.0
In the new Azure portal you have the option to use Role Based Access (RBAC). I want to give a user rights to startup and shutdown a virtual machine in Azure. I also don't want that is it possible for this user to create new VM's in Azure so I don't want to make this user Administrator. I gave the user the required rights in the new Azure portal (owner for: the VM, Cloud Service and storage).
When I open PowerShell with the user that has rights on Azure. I first execute the command Add-AzureAccount. After this I execute the following command: Start-AzureVM -ServiceName "MyVM" -Name "MyVM". Then I receive the following error: ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.
When I perform this scenario for a Subscription Administrator everything works fine.
Is the described scenario supported by the Azure PowerShell cmdlets? What are possible alternatives?
Thanks in advance
Unfortunately, RBAC through Powershell is currently only available for ARM-resources, i.e. non-"classic" resources in the preview portal, and users needs to have accounts in the Azure AD tenant associated with the subscription. Federated Microsoft accounts will won't work.