Remove-EntraOAuth2PermissionGrant
Removes an OAuth2PermissionGrant.
Syntax
Remove-EntraOAuth2PermissionGrant
-OAuth2PermissionGrantId <String>
[<CommonParameters>] Description
The Remove-EntraOAuth2PermissionGrant cmdlet removes an OAuth2PermissionGrant object in Microsoft Entra ID.
When a delegated permission grant is deleted, the access it granted is revoked. Existing access tokens will continue to be valid for their lifetime, but new access tokens will not be granted for the delegated permissions identified in the deleted OAuth2PermissionGrant.
In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation:
- Application Developer
- Cloud Application Administrator
- Directory Writers
- User Administrator
- Privileged Role Administrator
Examples
Example 1: Remove an OAuth2 permission grant
Connect-Entra -Scopes 'DelegatedPermissionGrant.ReadWrite.All'
$sharePointSP = Get-EntraServicePrincipal | Where-Object { $_.DisplayName -eq 'Microsoft.SharePoint' }
$sharePointOAuth2AllSitesRead = Get-EntraOAuth2PermissionGrant | Where-Object { $_.ResourceId -eq $sharePointSP.Id } | Where-Object { $_.Scope -eq 'AllSites.Read' }
Remove-EntraOAuth2PermissionGrant -OAuth2PermissionGrantId $sharePointOAuth2AllSitesRead.IdThis example shows how to remove an OAuth2PermissionGrant object in Microsoft Entra ID.
Parameters
-OAuth2PermissionGrantId
Specifies the ID of an OAuth2PermissionGrant object in Microsoft Entra ID.
| Type: | System.String |
| Aliases: | ObjectId |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |