We currently have the following commands that cover removing permissions from an enterprise application / service principal:
This issue is for adding the same functionality in a more consistent way, that can in some time replace the oauthgrant and approleassignment commands.
We're also implementing a rename of entra serviceprincipal verb, which is why we're adding this in the correct command group right from the start.
Usage
m365 entra enterpriseapp permission remove [options]
Description
Removes the specified application and/or delegated permissions from a specified Entra enterprise application
Options
| Option |
Description |
-i, --appId [appId] |
Client ID of the Entra enterprise app to remove the API permissions from. Specify either appId, appName or appObjectId. |
--appObjectId [appObjectId] |
Object ID of the Entra enterprise app to remove the API permissions from. Specify either appId, appName or appObjectId. |
-n, --appName [appName] |
Display name of the Entra enterprise app to remove the API permissions for. Specify either appId, appName or appObjectId. |
-a, --applicationPermissions [applicationPermissions] |
Space-separated list of application permissions to remove. Specify at least applicationPermissions or delegatedPermissions. |
-d, --delegatedPermissions [delegatedPermissions] |
Space-separated list of delegated permissions to remove. Specify at least applicationPermissions or delegatedPermissions. |
Remarks
Scopes/Roles to grant must be fully-qualified so that we can disambiguate them between the different resources.
Examples
Remove multiple delegated API permissions from an AAD app registration
m365 entra enterpriseapp permission remove --appId 'f1417aa3-bf0b-4cc5-a845-a0b2cf11f690' --delegatedPermissions 'https://management.azure.com/user_impersonation https://service.flow.microsoft.com/Flows.Read.All https://graph.microsoft.com/Agreement.Read.All'
Remove multiple app-only permissions from an AAD app registration and revoke admin consent
m365 entra enterpriseapp permission remove --appId 'f1417aa3-bf0b-4cc5-a845-a0b2cf11f690' --applicationPermissions 'https://graph.microsoft.com/Sites.FullControl.All https://microsoft.sharepoint-df.com/Sites.FullControl.All' --revokeAdminConsent
Additional information
If multiple apps with the same name exist, the CLI should show a disambiguation prompt to let the user choose.
We currently have the following commands that cover removing permissions from an enterprise application / service principal:
This issue is for adding the same functionality in a more consistent way, that can in some time replace the oauthgrant and approleassignment commands.
Usage
m365 entra enterpriseapp permission remove [options]
Description
Removes the specified application and/or delegated permissions from a specified Entra enterprise application
Options
-i, --appId [appId]appId,appNameorappObjectId.--appObjectId [appObjectId]appId,appNameorappObjectId.-n, --appName [appName]appId,appNameorappObjectId.-a, --applicationPermissions [applicationPermissions]applicationPermissionsordelegatedPermissions.-d, --delegatedPermissions [delegatedPermissions]applicationPermissionsordelegatedPermissions.Remarks
Scopes/Roles to grant must be fully-qualified so that we can disambiguate them between the different resources.
Examples
Remove multiple delegated API permissions from an AAD app registration
Remove multiple app-only permissions from an AAD app registration and revoke admin consent
Additional information
If multiple apps with the same name exist, the CLI should show a disambiguation prompt to let the user choose.