Sope of Get-AzureADOAuth2PermissionGrant

Question

question

tarouchabi-7271 asked Mar 31, '22 tarouchabi-7271 commented Apr 1, '22

Sope of Get-AzureADOAuth2PermissionGrant

I want to remove the default scope.
I want to delete * .ReadWrite.All and add Group.Read.All etc. Is it possible?

PS C:\Windows\system32> $sp = Get-AzureADServicePrincipal | Where-Object {$.DisplayName -eq "Microsoft Intune PowerShell"}
PS C:\Windows\system32> $spOAuth2PermissionsGrants = Get-AzureADOAuth2PermissionGrant -All $true| Where-Object { $.clientId -eq $sp.ObjectId }| Where-Object {$_.Scope -like "device"}
PS C:\Windows\system32> $spOAuth2PermissionsGrants | fl scope
Scope : DeviceManagementManagedDevices.PrivilegedOperations.All DeviceManagementManagedDevices.ReadWrite.All DeviceManagementRBAC.ReadWrite.All DeviceManagemen
tApps.ReadWrite.All DeviceManagementConfiguration.ReadWrite.All DeviceManagementServiceConfig.ReadWrite.All Group.ReadWrite.All Directory.Read.All open
id

azure-ad-app-registration azure-ad-app-management

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2022-03-31T21:33:10.827Z

JamesTran-MSFT answered Mar 31, '22 tarouchabi-7271 commented Apr 1, '22

@tarouchabi-7271
Thank you for your post!

When it comes to deleting the default scopes, for example *.ReadWrite.All, and adding Group.Read.All, and other permissions to your Service Principal. I don't believe this is possible using PowerShell since all you can do is Get/Remove the AzureADOAuth2 permission grants, but you should be able to accomplish this via the Microsoft Graph API.

1) List oauth2PermissionGrants to retrieve a list of oAuth2PermissionGrant objects

 GET https://graph.microsoft.com/v1.0/oauth2PermissionGrants

2) Get oAuth2PermissionGrant to retrieve an oAuth2PermissionGrant object.

 ##Get oAuth2PermissionGrant ClientId == Service Principals ObjectID
 ##Service Principal's Application ID == Azure AD App Registration's Application ID (client ID)
 GET https://graph.microsoft.com/v1.0/oauth2PermissionGrants/AVs6JuUDjkCFV7q2gd8QTPimBBgj5iBFj0C6GwwRxC0

3) Update a delegated permission grant (oAuth2PermissionGrant) to update the properties of oAuth2PermissionGrant object

 PATCH https://graph.microsoft.com/v1.0/oauth2PermissionGrants/l5eW7x0ga0-WDOntXzHateQDNpSH5-lPk9HjD3Sarjk
 Content-Type: application/json
    
 {
     "scope": "User.ReadBasic.All Group.ReadWrite.All"
 }

I hope this helps!

If you have any other questions, please let me know.
Thank you for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

image.png (101.7 KiB)

image.png (48.7 KiB)

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

tarouchabi-7271 · Apr 01 at 02:12 PM

Thank you very much. I will try it in a test environment immediately.
And I'm sorry. Please let me know if possible.

My production environment prohibits pop-ups from being displayed in GPOs.
So, Aouth consent screen is not displayed and Connect-MSGraph cannot be used.

Is it possible to register Microsoft Intune PowerShell with the powershell or Azure AD portal in this state?

0 ·

question