Update-EntraOauth2PermissionGrant
Update the properties of a delegated permission grant (oAuth2PermissionGrant object).
Syntax
Default (Default)
Update-EntraOauth2PermissionGrant
-OAuth2PermissionGrantId <String>
[-Scope <String>]
[<CommonParameters>]
Description
The Update-EntraOauth2PermissionGrant cmdlet is used to update the properties of a delegated permission grant (oAuth2PermissionGrant object) by adding or removing items in the scopes list.
To add new scopes, include both existing and new scopes in this parameter; otherwise, existing scopes will be overwritten.
In delegated scenarios with work or school accounts, the signed-in user needs a supported Microsoft Entra role or a custom role with the required permissions. The least privileged roles that support this operation are:
- Application Administrator
- Application Developer
- Cloud Application Administrator
- Directory Writers
- Privileged Role Administrator
- User Administrator
Examples
Example 1: Update delegated permission grant scope
Connect-Entra -Scopes 'DelegatedPermissionGrant.ReadWrite.All'
$clientServicePrincipal = Get-EntraServicePrincipal -Filter "displayName eq 'My application'"
$permissionGrant = Get-EntraOauth2PermissionGrant | Where-Object {$_.ClientId -eq $clientServicePrincipal.Id -and $_.Scope -eq 'Directory.Read.All'}
Update-EntraOauth2PermissionGrant -OAuth2PermissionGrantId $permissionGrant.Id -Scope 'Directory.Read.All User.Read.All'
This command updates a delegated permission grant.
-OAuth2PermissionGrantIdparameter specifies the Unique identifier for the oAuth2PermissionGrant.-Scopeparameter is a space-separated list of claim values for delegated permissions to include in access tokens for the resource application (API), such asopenid User.Read GroupMember.Read.All.
Example 2: Clear all scopes in the delegated permission grant
Connect-Entra -Scopes 'DelegatedPermissionGrant.ReadWrite.All'
$clientServicePrincipal = Get-EntraServicePrincipal -Filter "displayName eq 'My application'"
$permissionGrant = Get-EntraOauth2PermissionGrant | Where-Object {$_.ClientId -eq $clientServicePrincipal.Id -and $_.Scope -eq 'Directory.Read.All'}
Update-EntraOauth2PermissionGrant -OAuth2PermissionGrantId $permissionGrant.Id -Scope ''
This command updates a delegated permission grant.
-OAuth2PermissionGrantIdparameter specifies the Unique identifier for the oAuth2PermissionGrant.
Parameters
-OAuth2PermissionGrantId
The Unique identifier for the oAuth2PermissionGrant.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
| Aliases: | Id |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | True |
| Value from pipeline: | True |
| Value from pipeline by property name: | True |
| Value from remaining arguments: | False |
-Scope
A space-separated list of claim values for delegated permissions to include in access tokens for the resource application (API), such as openid User.Read GroupMember.Read.All. Each claim must match a value in the API's publishedPermissionScopes property. The total length must not exceed 3850 characters.
Parameter properties
| Type: | System.String |
| Default value: | None |
| Supports wildcards: | False |
| DontShow: | False |
Parameter sets
(All)
| Position: | Named |
| Mandatory: | False |
| Value from pipeline: | False |
| Value from pipeline by property name: | False |
| Value from remaining arguments: | False |
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.