Update-EntraOauth2PermissionGrant
Update the properties of a delegated permission grant (oAuth2PermissionGrant object).
Syntax
Update-EntraOauth2PermissionGrant
-OAuth2PermissionGrantId <String>
[-Scope <String>]
[<CommonParameters>] Description
The Update-EntraOauth2PermissionGrant cmdlet is used to update the properties of a delegated permission grant (oAuth2PermissionGrant object) by adding or removing items in the scopes list.
To add new scopes, include both existing and new scopes in this parameter; otherwise, existing scopes will be overwritten.
In delegated scenarios with work or school accounts, the signed-in user needs a supported Microsoft Entra role or a custom role with the required permissions. The least privileged roles that support this operation are:
- Application Administrator
- Application Developer
- Cloud Application Administrator
- Directory Writers
- Privileged Role Administrator
- User Administrator
Examples
Example 1: Update delegated permission grant scope
Connect-Entra -Scopes 'DelegatedPermissionGrant.ReadWrite.All'
$clientServicePrincipal = Get-EntraServicePrincipal -Filter "displayName eq 'My application'"
$permissionGrant = Get-EntraOauth2PermissionGrant | Where-Object {$_.ClientId -eq $clientServicePrincipal.Id -and $_.Scope -eq 'Directory.Read.All'}
Update-EntraOauth2PermissionGrant -OAuth2PermissionGrantId $permissionGrant.Id -Scope 'Directory.Read.All User.Read.All'This command updates a delegated permission grant.
-OAuth2PermissionGrantIdparameter specifies the Unique identifier for the oAuth2PermissionGrant.-Scopeparameter is a space-separated list of claim values for delegated permissions to include in access tokens for the resource application (API), such asopenid User.Read GroupMember.Read.All.
Example 2: Clear all scopes in the delegated permission grant
Connect-Entra -Scopes 'DelegatedPermissionGrant.ReadWrite.All'
$clientServicePrincipal = Get-EntraServicePrincipal -Filter "displayName eq 'My application'"
$permissionGrant = Get-EntraOauth2PermissionGrant | Where-Object {$_.ClientId -eq $clientServicePrincipal.Id -and $_.Scope -eq 'Directory.Read.All'}
Update-EntraOauth2PermissionGrant -OAuth2PermissionGrantId $permissionGrant.Id -Scope ''This command updates a delegated permission grant.
-OAuth2PermissionGrantIdparameter specifies the Unique identifier for the oAuth2PermissionGrant.
Parameters
-OAuth2PermissionGrantId
The Unique identifier for the oAuth2PermissionGrant.
| Type: | System.String |
| Aliases: | Id |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-Scope
A space-separated list of claim values for delegated permissions to include in access tokens for the resource application (API), such as openid User.Read GroupMember.Read.All. Each claim must match a value in the API's publishedPermissionScopes property. The total length must not exceed 3850 characters.
| Type: | System.String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |