Removing Connect-MgGraph Permissions
If, like me, you connect to either Azure Active Directory or Microsoft 365 using the Microsoft Graph PowerShell SDK, you may have hit the problem where you seem to have more permissions than you need and need help figuring out why you do.
The good news is this is a pretty easy thing to figure out. I started writing this post a while ago and then forgot I was writing it. I got reminded I needed to complete this by some questions I got about this very subject, so here it is π
The Background
When you use βConnect-MgGraphβ and pass scopes, you get prompted by the consent framework.
$scopes = @( "Policy.Read.All", "Policy.ReadWrite.ConditionalAccess", "Application.Read.All") Connect-MgGraph -Scopes $scopes
Once you consent for the connection, within Azure Active Directory, a new Enterprise application gets created called βMicrosoft Graph PowerShell.β
The scopes passed get assigned to the application and used during the session.
Unfortunately, what happens next is quite normal; we donβt disconnect our connections like we should and leave everything as it was when we first connected. The next time you connect and use different scoped permissions, they get appended and when the connection completes checking the current context scopes results in extra permissions.
$scopes = @( "User.ReadWrite.All", "Group.ReadWrite.All", "GroupMember.ReadWrite.All") Connect-MgGraph -Scopes $scopes
By executing the βGet-MgContext | Select-Object -ExpandProperty Scopesβ you can see the combined permissions.
As you can imagine, this causes issues with either too many or even too few permissions. If you look directly within Azure Active Directory at the βMicrosoft Graph PowerShellβ application, within the βPermissionsβ section, you will also see the combined permissions.
The Fix
Resolving this problem is as simple as deleting the current Azure Active Directory application called βMicrosoft Graph PowerShell.β To do this, you can also use PowerShell, using the βAzureADβ or βAzureADPreviewβ module. First, load the module, retrieve the ID and remove the application.
Import-Module AzureADPeview $appID = Get-AzureADServicePrincipal -SearchString "Microsoft Graph PowerShell" Remove-AzureADServicePrincipal -ObjectId $appID
You will have to wait a minute or so for it to disappear from the user interface completely; however, it deletes. Searching Azure Active Directory using the UI or PowerShell results on the Enterprise application not existing. The next time you connect and confirm the consent request, the application recreates with only the permissions specified within the scopes property.
Remember, you will only need to do this if you often change permissions. However, if you do, you may need to perform this task. If this is the case, I recommend manually creating an app registration, assigning the required permissions, and then using a certificate to connect. Also, remember that specific commands ONLY work with delegated permissions and not app-only permissions, so you may need to use ad-hoc assignments occasionally.
Liam Cleary
Liam began his career as a computer trainer. He quickly realized that programming, breaking and hacking were much more fun. Liam spent the next few years working within core infrastructure and security services. He is now the founder and owner of SharePlicity, a consulting company focusing on Microsoft 365 and Azure technology. His role within SharePlicity is to help organizations implement Microsoft 365 and Azure technology to enhance internal and external collaboration, document, and records management, automate business processes, and implement security controls and protection. He is a long-time Microsoft MVP and Microsoft Certified Trainer, focusing on architecture, security and crossing the boundary into software development. Over the past few years, his specialty has been security in Microsoft 365, Azure and its surrounding platforms. Liam also creates online training courses for Pluralsight, LinkedIn Learning and Cloud Academy, and he teaches multiple Microsoft certification courses for Opsgility and Microsoft. You can find him at user groups and conferences, teaching classes, offering advice, spending time in the community, teaching his kids how to code, raspberry PI programming, hacking the planet, building Lego robots, or coaching soccer. You may also find him running races in the dark, hiking, or mountain biking at breakneck speeds.