Use PowerShell to Revoke Permission from a Certain User to Azure API

English | 简体中文

We can't revoke permissions from a certain user to an Azure API in Azure portal, but we can do this in PowerShell。You need administrator rights on this API。

This is to revoke the user's permission given to the azure API, not to prohibit the user from using the API. The user can still authorize the API again.

Operation

First, Install AzureAD Module in PowerShell:

Install-PackageProvider -Name NuGet -RequiredVersion 2.8.5.201
Install-Module AzureAD

Then connect to Azure. You will need to login to your account:

Connect-AzureAD

Then get the Object ID of the application, the third one on the right.

Get all delegated permissions for the API (replace <Object ID> with you application's Object ID , the < > are not needed for you).

$sp = Get-AzureADServicePrincipal -ObjectId "<Object ID>"
$spOAuth2PermissionsGrants = Get-AzureADOAuth2PermissionGrant -All $true| Where-Object { $_.clientId -eq $sp.ObjectId }

Display all PrincipalId in the array：

$spOAuth2PermissionsGrants.PrincipalId

The command will display several lines of user ID, one ID per line. Find the user whose permission you want to revoke. You can get an user's ID in "Users" of Azure portal, that is, the Object ID in the figure below.

If the user's ID is displayed at nth line, use this command to revoke his/her/its permission to the API：

Remove-AzureADOAuth2PermissionGrant -ObjectId $spOAuth2PermissionsGrants[n-1].ObjectId

You should replace n-1 with the corresponding value. For example, if the user's ID is displayed at second line, the command should be:

Remove-AzureADOAuth2PermissionGrant -ObjectId $spOAuth2PermissionsGrants[1].ObjectId

You need to subtract 1 because the array starts with 0 .

Now you finish the operation. You may want to check it in Azure portal.

References

Microsoft docs: OAuth2PermissionGrant interface

Microsoft docs: Remove-AzureADOAuth2PermissionGrant