Public/Remove-GkConsentGrant.ps1

function Remove-GkConsentGrant {
    <#
    .SYNOPSIS
        Revoke a delegated OAuth2 permission grant (consent).

    .DESCRIPTION
        Deletes an oauth2PermissionGrant (DELETE /oauth2PermissionGrants/{id}), revoking a delegated
        permission consent — for example an over-privileged tenant-wide (AllPrincipals) grant surfaced
        by Get-GkServicePrincipalReport -IncludeConsentGrants.

        State-changing: supports -WhatIf / -Confirm and prompts by default. Accepts grant IDs from the
        pipeline and yields a PSGraphKit.ConsentGrantRemovalResult per grant; failures warn and continue.
        Requires DelegatedPermissionGrant.ReadWrite.All.

        Grant IDs come from GET /oauth2PermissionGrants (e.g. via Invoke-MgGraphRequest) — this cmdlet
        performs the revoke once you have the id.

    .PARAMETER GrantId
        One or more oauth2PermissionGrant IDs to delete. Accepts pipeline input (incl. by the Id property).

    .EXAMPLE
        Remove-GkConsentGrant -GrantId $grantId -WhatIf

        Preview revoking one consent grant.

    .EXAMPLE
        $grants = (Invoke-MgGraphRequest GET 'https://graph.microsoft.com/v1.0/oauth2PermissionGrants' -OutputType PSObject).value |
            Where-Object consentType -eq 'AllPrincipals'
        $grants.id | Remove-GkConsentGrant -Confirm:$false

        Revoke every tenant-wide delegated consent.

    .EXAMPLE
        Remove-GkConsentGrant -GrantId $id -Confirm:$false | Format-List GrantId, Outcome, Error

    .OUTPUTS
        PSGraphKit.ConsentGrantRemovalResult
    #>

    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')]
    [OutputType('PSGraphKit.ConsentGrantRemovalResult')]
    param(
        [Parameter(Mandatory, ValueFromPipeline, ValueFromPipelineByPropertyName)]
        [Alias('Id')]
        [string[]] $GrantId
    )

    begin {
        Test-GkConnection -FunctionName 'Remove-GkConsentGrant' | Out-Null
    }

    process {
        foreach ($gid in $GrantId) {
            if ([string]::IsNullOrWhiteSpace($gid)) { continue }
            if (-not $PSCmdlet.ShouldProcess($gid, 'Revoke OAuth2 permission grant')) { continue }

            $enc = [uri]::EscapeDataString($gid)
            $outcome = 'Revoked'
            $errMsg = $null
            try {
                Invoke-GkGraphRequest -Method DELETE -Uri "/oauth2PermissionGrants/$enc" -CallerFunction 'Remove-GkConsentGrant' | Out-Null
            }
            catch {
                $outcome = 'Failed'
                $errMsg = $_.Exception.Message
                Write-Warning "Failed to revoke consent grant '$gid': $errMsg"
            }

            [pscustomobject]@{
                PSTypeName = 'PSGraphKit.ConsentGrantRemovalResult'
                GrantId    = $gid
                Action     = 'RevokeConsentGrant'
                Outcome    = $outcome
                Error      = $errMsg
            }
        }
    }
}