Remove-EntraBetaOAuth2PermissionGrant

Remove-EntraBetaOAuth2PermissionGrant

    -OAuth2PermissionGrantId <String>
    [<CommonParameters>]

The Remove-EntraBetaOAuth2PermissionGrant cmdlet removes an OAuth2PermissionGrant object in Microsoft Entra ID.

When a delegated permission grant is deleted, the access it granted is revoked. Existing access tokens will continue to be valid for their lifetime, but new access tokens will not be granted for the delegated permissions identified in the deleted OAuth2PermissionGrant.

In delegated scenarios using work or school accounts, the signed-in user must have a Microsoft Entra role or custom role with the necessary permissions. The following least privileged roles support this operation:

• Application Developer
• Cloud Application Administrator
• Directory Writers
• User Administrator
• Privileged Role Administrator

Connect-Entra -Scopes 'DelegatedPermissionGrant.ReadWrite.All'
$sharePointSP = Get-EntraBetaServicePrincipal | Where-Object { $_.DisplayName -eq 'Microsoft.SharePoint' }
$sharePointOAuth2AllSitesRead = Get-EntraBetaOAuth2PermissionGrant | Where-Object { $_.ResourceId -eq $sharePointSP.Id } | Where-Object { $_.Scope -eq 'AllSites.Read' }
Remove-EntraBetaOAuth2PermissionGrant -OAuth2PermissionGrantId $sharePointOAuth2AllSitesRead.Id

This example shows how to remove an OAuth2PermissionGrant object in Microsoft Entra ID.

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.