Revoke-AadConsent.ps1
<#
.SYNOPSIS # Resolve Admin Consent Issues .DESCRIPTION # Resolve Admin Consent Issues when the application registration is in a external directory and it not configured correctly. .PARAMETER Id Identifier for the Enterprise App (ServicePrincipal) we will be consenting to. .PARAMETER ResourceId Identifier for the Resource (ServicePrincipal) we will be consenting permissions to. .PARAMETER UseMsGraph Set permission scopes for https://graph.microsoft.com .PARAMETER UseAadGraph Set permission scopes for https://graph.windows.net .PARAMETER UserId If you set a UserId, then it will use User Consent .PARAMETER Scopes scope permissions .PARAMETER Expires Set the date when these consent scope permissions (OAuth2PermissionGrants) expire. .EXAMPLE Set-AadConsent -Id 'Your App Name' -Scopes 'User.Read Directory.Read.All' -UseMsGraph Applies Admin Consent for the Microsoft Graph permissions User.Read & Directory.Read.All .EXAMPLE Set-AadConsent -Id 'Your App Name' -Scopes 'User.Read Directory.Read.All' -UseMsGraph -UserId john@contoso.com Applies User Consent on user john@contoso.com for the Microsoft Graph permissions User.Read & Directory.Read.All .EXAMPLE Set-AadConsent -Id 'Your App Name' -Scopes 'user_impersonation' -ResourceId 'Custom Api' You can also consent for custom API .NOTES General notes #> function Revoke-AadConsent { [CmdletBinding(DefaultParameterSetName="All")] param ( [Parameter(mandatory=$true, Position=0, ValueFromPipeline = $true)] [string]$ClientId, [string]$ResourceId, [string]$ClaimValue, [Parameter(ParameterSetName = 'UserId')] [string]$UserId, [Parameter(ParameterSetName = 'UserConsentOnly')] [switch]$UserConsentOnly, [Parameter(ParameterSetName = 'AdminConsentOnly')] [switch]$AdminConsentOnly, [Parameter(ParameterSetName = 'ApplicationOnly')] [switch]$ApplicationOnly, [Parameter(ParameterSetName = 'DelegatedOnly')] [switch]$DelegatedOnly, [ValidateSet('Admin','User', 'All')] $ConsentType = 'All', [ValidateSet('Delegated','Application', 'All')] $PermissionType = 'All' ) # Parameter validations if($ApplicationOnly -and $DelegatedOnly) { throw "You can only use one 'ApplicationOnly' or 'DelegatedOnly'" } if($ClaimValue -and -not $ResourceId) { throw "You must provide a 'ResoureId' when using 'ClaimValue'" } $TenantDomain = $Global:AadSupport.Session.TenantDomain # -------------------------------------------------- # Check if signed in user is Global Admin (As only global admins can perform admin consent) $isGlobalAdmin = Invoke-AadCommand -Command { $SignedInUser = Get-AzureAdUser -ObjectId $Global:AadSupport.Session.AccountId $SignedInUserObjectId = $SignedInUser.ObjectId $GlobalAdminRoleId = (Get-AzureAdDirectoryRole | where { $_.displayName -eq 'Company Administrator' -or $_.displayName -eq 'Application Administrator' }).ObjectId $isGlobalAdmin = (Get-AzureAdDirectoryRoleMember -ObjectId $GlobalAdminRoleId).ObjectId -contains $SignedInUserObjectId return $isGlobalAdmin } -Parameters $Global:AadSupport.Session.AccountId if (-not $isGlobalAdmin) { Write-Host "Your account '$authUserId' is not a Global Admin in $TenantDomain." throw "Exception: 'Company Administrator' or 'Application Administrator' role REQUIRED" } <# Get User Consents only if($UserConsentOnly) { $ConsentedPermissions = ` Get-AadConsent ` -ClientId $ClientId ` -ResourceId $ResourceId ` -UserId $UserId ` -ConsentType User ` -ClaimValue $ClaimValue } # Get Admin Consent only for application permissions elseif($ApplicationOnly) { $ConsentedPermissions = ` Get-AadConsent ` -ClientId $ClientId ` -ResourceId $ResourceId ` -ConsentType Admin ` -PermissionType Application ` -ClaimValue $ClaimValue } # Get Admin Consent only for delegated permissions elseif($DelegatedOnly) { $ConsentedPermissions = ` Get-AadConsent ` -ClientId $ClientId ` -ResourceId $ResourceId ` -ConsentType Admin ` -PermissionType Delegated ` -ClaimValue $ClaimValue } # Get Admin Consents only elseif($AdminConsentOnly) { $ConsentedPermissions = ` Get-AadConsent ` -ClientId $ClientId ` -ResourceId $ResourceId ` -ConsentType Admin ` -ClaimValue $ClaimValue } #> # Get all other consents #else #{ $ConsentedPermissions = ` Get-AadConsent ` -ClientId $ClientId ` -ResourceId $ResourceId ` -UserId $UserId ` -ConsentType $ConsentType ` -PermissionType $PermissionType ` -ClaimValue $ClaimValue #} foreach($Permission in $ConsentedPermissions) { Show-AadSupportStatusBar $MsGraphUrl = "https://graph.microsoft.com/beta/oauth2PermissionGrants/$($Permission.Id)" if($Permission.PermissionType -eq "Delegated") { $RemoveConsent = $true if($ClaimValue -and $Permission.ClaimValue -ne $ClaimValue) { $RemoveConsent = $false } # Remove the OAuth2PermissionGrant Object if($RemoveConsent) { Invoke-AadProtectedApi ` -Client $Global:AadSupport.Clients.AzureAdPowershell.ClientId ` -Resource $Global:AadSupport.Resources.MsGraph ` -Endpoint $MsGraphUrl -Method DELETE ` } # Update the OAuth2PermissionGrant Object to remove ClaimValue else { $ClaimValues = $Permission.ClaimValue.Split(" ") $ClaimValues = $ClaimValues | where-object {$_ -ne $ClaimValue} $NewClaimValues = $ClaimValues -Join " " $JsonBody = @{ scope = $NewClaimValues } | ConvertTo-Json -Compress Invoke-AadProtectedApi ` -Client $Global:AadSupport.Clients.AzureAdPowershell.ClientId ` -Resource $Global:AadSupport.Resources.MsGraph ` -Endpoint $MsGraphUrl -Method PATCH ` -Body $JsonBody } } if($Permission.PermissionType -eq "Application") { Invoke-AadCommand -Command { Param($Params) Remove-AzureADServiceAppRoleAssignment -ObjectId $Params.ObjectId -AppRoleAssignmentId $Params.AppRoleAssignmentId } -Parameters @{ ObjectId = $Permission.ClientId AppRoleAssignmentId = $Permission.Id } } } } function Test-RevokeAadConsent { Remove-Module AadSupportPreview Import-Module AadSupportPreview Connect-AadSupport Set-AadConsent -ClientId 'AadSupport UnitTest' -ResourceId 'Microsoft Graph' -Scopes 'User.read' -UserId testuser@williamfiddes.onmicrosoft.com Set-AadConsent -ClientId 'AadSupport UnitTest' -ResourceId 'Microsoft Graph' -Scopes 'User.read' -UserId testuser2@williamfiddes.onmicrosoft.com Revoke-AadConsent -ClientId 'AadSupport UnitTest' Revoke-AadConsent -ClientId 'AadSupport UnitTest' -ConsentType User Revoke-AadConsent -ClientId 'AadSupport UnitTest' -UserId testuser@williamfiddes.onmicrosoft.com Revoke-AadConsent -ClientId 'AadSupport UnitTest' -ConsentType Admin Revoke-AadConsent -ClientId 'AadSupport UnitTest' -PermissionType Delegated Revoke-AadConsent -ClientId 'AadSupport UnitTest' -PermissionType Application Revoke-AadConsent -ClientId 'AadSupport UnitTest' -ResourceId 'Microsoft Graph' Revoke-AadConsent -ClientId 'AadSupport UnitTest' -ResourceId 'Microsoft Graph' -UserConsentOnly Revoke-AadConsent -ClientId 'AadSupport UnitTest' -ResourceId 'Microsoft Graph' -UserId testuser@williamfiddes.onmicrosoft.com Revoke-AadConsent -ClientId 'AadSupport UnitTest' -ResourceId 'Microsoft Graph' -AdminConsentOnly Revoke-AadConsent -ClientId 'AadSupport UnitTest' -ResourceId 'Microsoft Graph' -DelegatedOnly Revoke-AadConsent -ClientId 'AadSupport UnitTest' -ResourceId 'Microsoft Graph' -ApplicationOnly } |