AadSupportPreview

0.2.10

Revoke-AadConsent.ps1

                                <#

.SYNOPSIS

# Resolve Admin Consent Issues

.DESCRIPTION

# Resolve Admin Consent Issues when the application registration is in a external directory and it not configured correctly.

.PARAMETER Id

Identifier for the Enterprise App (ServicePrincipal) we will be consenting to.

.PARAMETER ResourceId

Identifier for the Resource (ServicePrincipal) we will be consenting permissions to.

.PARAMETER UseMsGraph

Set permission scopes for https://graph.microsoft.com

.PARAMETER UseAadGraph

Set permission scopes for https://graph.windows.net

.PARAMETER UserId

If you set a UserId, then it will use User Consent

.PARAMETER Scopes

scope permissions

.PARAMETER Expires

Set the date when these consent scope permissions (OAuth2PermissionGrants) expire.

.EXAMPLE

Set-AadConsent -Id 'Your App Name' -Scopes 'User.Read Directory.Read.All' -UseMsGraph

Applies Admin Consent for the Microsoft Graph permissions User.Read & Directory.Read.All

.EXAMPLE

Set-AadConsent -Id 'Your App Name' -Scopes 'User.Read Directory.Read.All' -UseMsGraph -UserId john@contoso.com

Applies User Consent on user john@contoso.com for the Microsoft Graph permissions User.Read & Directory.Read.All

.EXAMPLE

Set-AadConsent -Id 'Your App Name' -Scopes 'user_impersonation' -ResourceId 'Custom Api'

You can also consent for custom API

.NOTES

General notes

#>

function Revoke-AadConsent {

    [CmdletBinding(DefaultParameterSetName="All")] 

    param (

        [Parameter(mandatory=$true, Position=0, ValueFromPipeline = $true)]

        [string]$ClientId,

        [string]$ResourceId,

        [string]$ClaimValue,

        [Parameter(ParameterSetName = 'UserId')]

        [string]$UserId,

        [Parameter(ParameterSetName = 'UserConsentOnly')]

        [switch]$UserConsentOnly,

        [Parameter(ParameterSetName = 'AdminConsentOnly')]

        [switch]$AdminConsentOnly,

        [Parameter(ParameterSetName = 'ApplicationOnly')]

        [switch]$ApplicationOnly,

        [Parameter(ParameterSetName = 'DelegatedOnly')]

        [switch]$DelegatedOnly,

        [ValidateSet('Admin','User', 'All')]

        $ConsentType = 'All',

        [ValidateSet('Delegated','Application', 'All')]

        $PermissionType = 'All'

    )

    # Parameter validations

    if($ApplicationOnly -and $DelegatedOnly)

    {

        throw "You can only use one 'ApplicationOnly' or 'DelegatedOnly'"

    }

    if($ClaimValue -and -not $ResourceId)

    {

        throw "You must provide a 'ResoureId' when using 'ClaimValue'"

    }

    $TenantDomain = $Global:AadSupport.Session.TenantDomain

    # --------------------------------------------------

    # Check if signed in user is Global Admin (As only global admins can perform admin consent)

    $isGlobalAdmin = Invoke-AadCommand -Command {

        $SignedInUser = Get-AzureAdUser -ObjectId $Global:AadSupport.Session.AccountId

        $SignedInUserObjectId = $SignedInUser.ObjectId

        $GlobalAdminRoleId = (Get-AzureAdDirectoryRole | where { $_.displayName -eq 'Company Administrator' -or $_.displayName -eq 'Application Administrator' }).ObjectId

        $isGlobalAdmin = (Get-AzureAdDirectoryRoleMember -ObjectId $GlobalAdminRoleId).ObjectId -contains $SignedInUserObjectId

        return $isGlobalAdmin

    } -Parameters $Global:AadSupport.Session.AccountId

    if (-not $isGlobalAdmin)  

    {  

        Write-Host "Your account '$authUserId' is not a Global Admin in $TenantDomain."

        throw "Exception: 'Company Administrator' or 'Application Administrator' role REQUIRED"

    } 

    <# Get User Consents only

    if($UserConsentOnly)

    {

        $ConsentedPermissions = `

          Get-AadConsent `

          -ClientId $ClientId `

          -ResourceId $ResourceId `

          -UserId $UserId `

          -ConsentType User `

          -ClaimValue $ClaimValue

    }

    # Get Admin Consent only for application permissions

    elseif($ApplicationOnly)

    {

        $ConsentedPermissions = `

          Get-AadConsent `

          -ClientId $ClientId `

          -ResourceId $ResourceId `

          -ConsentType Admin `

          -PermissionType Application `

          -ClaimValue $ClaimValue

    }

    # Get Admin Consent only for delegated permissions

    elseif($DelegatedOnly)

    {

        $ConsentedPermissions = `

          Get-AadConsent `

          -ClientId $ClientId `

          -ResourceId $ResourceId `

          -ConsentType Admin `

          -PermissionType Delegated `

          -ClaimValue $ClaimValue

    }

    # Get Admin Consents only

    elseif($AdminConsentOnly)

    {

        $ConsentedPermissions = `

        Get-AadConsent `

        -ClientId $ClientId `

        -ResourceId $ResourceId `

        -ConsentType Admin `

        -ClaimValue $ClaimValue

    }

    #>

    # Get all other consents

    #else

    #{

        $ConsentedPermissions = `

          Get-AadConsent `

          -ClientId $ClientId `

          -ResourceId $ResourceId `

          -UserId $UserId `

          -ConsentType $ConsentType `

          -PermissionType $PermissionType `

          -ClaimValue $ClaimValue

    #}

    foreach($Permission in $ConsentedPermissions)

    {

        Show-AadSupportStatusBar

        $MsGraphUrl = "https://graph.microsoft.com/beta/oauth2PermissionGrants/$($Permission.Id)"

        if($Permission.PermissionType -eq "Delegated")

        {

            $RemoveConsent = $true

            if($ClaimValue -and $Permission.ClaimValue -ne $ClaimValue) {

                $RemoveConsent = $false

            }

            # Remove the OAuth2PermissionGrant Object

            if($RemoveConsent)

            {

                Invoke-AadProtectedApi `

                -Client $Global:AadSupport.Clients.AzureAdPowershell.ClientId `

                -Resource $Global:AadSupport.Resources.MsGraph `

                -Endpoint $MsGraphUrl -Method DELETE `

            } 

            # Update the OAuth2PermissionGrant Object to remove ClaimValue

            else {

                $ClaimValues = $Permission.ClaimValue.Split(" ")

                $ClaimValues = $ClaimValues | where-object {$_ -ne $ClaimValue}

                $NewClaimValues = $ClaimValues -Join " "

                $JsonBody = @{

                    scope = $NewClaimValues

                } | ConvertTo-Json -Compress

                Invoke-AadProtectedApi `

                -Client $Global:AadSupport.Clients.AzureAdPowershell.ClientId `

                -Resource $Global:AadSupport.Resources.MsGraph `

                -Endpoint $MsGraphUrl -Method PATCH `

                -Body $JsonBody

            }

        }

        if($Permission.PermissionType -eq "Application")

        {

            Invoke-AadCommand -Command {

                Param($Params)

                Remove-AzureADServiceAppRoleAssignment -ObjectId $Params.ObjectId -AppRoleAssignmentId $Params.AppRoleAssignmentId

            } -Parameters @{

                ObjectId = $Permission.ClientId

                AppRoleAssignmentId = $Permission.Id

            }

        }

    }    

}

function Test-RevokeAadConsent

{

    Remove-Module AadSupportPreview

    Import-Module AadSupportPreview

    Connect-AadSupport

    Set-AadConsent -ClientId 'AadSupport UnitTest' -ResourceId 'Microsoft Graph' -Scopes 'User.read' -UserId testuser@williamfiddes.onmicrosoft.com

    Set-AadConsent -ClientId 'AadSupport UnitTest' -ResourceId 'Microsoft Graph' -Scopes 'User.read' -UserId testuser2@williamfiddes.onmicrosoft.com

    Revoke-AadConsent -ClientId 'AadSupport UnitTest'

    Revoke-AadConsent -ClientId 'AadSupport UnitTest' -ConsentType User

    Revoke-AadConsent -ClientId 'AadSupport UnitTest' -UserId testuser@williamfiddes.onmicrosoft.com

    Revoke-AadConsent -ClientId 'AadSupport UnitTest' -ConsentType Admin

    Revoke-AadConsent -ClientId 'AadSupport UnitTest' -PermissionType Delegated

    Revoke-AadConsent -ClientId 'AadSupport UnitTest' -PermissionType Application

    Revoke-AadConsent -ClientId 'AadSupport UnitTest' -ResourceId 'Microsoft Graph'

    Revoke-AadConsent -ClientId 'AadSupport UnitTest' -ResourceId 'Microsoft Graph' -UserConsentOnly 

    Revoke-AadConsent -ClientId 'AadSupport UnitTest' -ResourceId 'Microsoft Graph' -UserId testuser@williamfiddes.onmicrosoft.com

    Revoke-AadConsent -ClientId 'AadSupport UnitTest' -ResourceId 'Microsoft Graph' -AdminConsentOnly

    Revoke-AadConsent -ClientId 'AadSupport UnitTest' -ResourceId 'Microsoft Graph' -DelegatedOnly

    Revoke-AadConsent -ClientId 'AadSupport UnitTest' -ResourceId 'Microsoft Graph' -ApplicationOnly

}