When you grant API permissions to a client app in Microsoft Entra ID, the permission grants are recorded as objects that can be accessed, updated, or deleted like any other data. Using Microsoft Graph to directly create permission grants is a programmatic alternative to interactive consent and can be useful for automation scenarios, bulk management, or other custom operations in your organization.
In this article, you learn how to grant and revoke app roles for an app using Microsoft Graph. App roles, also called application permissions, or direct access permissions, allow an app to call an API with its own identity. Learn more about application permissions.
Caution
Be careful! Permissions granted programmatically are not subject to review or confirmation. They take effect immediately.
Prerequisites
To complete these instructions, you need the following resources and privileges:
A valid Microsoft Entra tenant.
You run the requests in this article in a delegated context. You must complete the following steps:
Sign in to an API client such as Graph Explorer as a user with privileges to create applications in the tenant. The privileges to create permission grants might be limited or controlled in your tenant through admin-configured app consent policies.
In the app you're signed in to, consent to the Application.Read.All and AppRoleAssignment.ReadWrite.All delegated permissions on behalf of the signed-in user. You don't need to consent on behalf of your organization.
Get the object ID of the client service principal to which you grant app roles. In this article, the client service principal is identified by ID b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94. In the Microsoft Entra admin center, expand the Identity menu > expand Applications > select Enterprise applications > App applications to find the client service principal. Select it and on the Overview page, copy the Object ID value.
Caution
Apps that have been granted the AppRoleAssignment.ReadWrite.All permission should only be accessed by appropriate users.
Step 1: Get the appRoles of the resource service principal
Before you can grant app roles, you must first identify the resource service principal that exposes the app roles you want to grant. App roles are defined in the appRoles object of a service principal. In this article, you use the Microsoft Graph service principal in your tenant as the resource service principal.
Request
The following request retrieves the app roles defined by the Microsoft Graph service principal in the tenant.
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=displayName eq 'Microsoft Graph'&$select=id,displayName,appId,appRoles
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals.GetAsync((requestConfiguration) =>
{
requestConfiguration.QueryParameters.Filter = "displayName eq 'Microsoft Graph'";
requestConfiguration.QueryParameters.Select = new string []{ "id","displayName","appId","appRoles" };
});
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphserviceprincipals "github.com/microsoftgraph/msgraph-sdk-go/serviceprincipals"
//other-imports
)
requestFilter := "displayName eq 'Microsoft Graph'"
requestParameters := &graphserviceprincipals.ServicePrincipalsRequestBuilderGetQueryParameters{
Filter: &requestFilter,
Select: [] string {"id","displayName","appId","appRoles"},
}
configuration := &graphserviceprincipals.ServicePrincipalsRequestBuilderGetRequestConfiguration{
QueryParameters: requestParameters,
}
// To initialize your graphClient, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=go
servicePrincipals, err := graphClient.ServicePrincipals().Get(context.Background(), configuration)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ServicePrincipalCollectionResponse result = graphClient.servicePrincipals().get(requestConfiguration -> {
requestConfiguration.queryParameters.filter = "displayName eq 'Microsoft Graph'";
requestConfiguration.queryParameters.select = new String []{"id", "displayName", "appId", "appRoles"};
});
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.service_principals.service_principals_request_builder import ServicePrincipalsRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration
# To initialize your graph_client, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=python
query_params = ServicePrincipalsRequestBuilder.ServicePrincipalsRequestBuilderGetQueryParameters(
filter = "displayName eq 'Microsoft Graph'",
select = ["id","displayName","appId","appRoles"],
)
request_configuration = RequestConfiguration(
query_parameters = query_params,
)
result = await graph_client.service_principals.get(request_configuration = request_configuration)
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals(id,displayName,appId,appRoles)",
"value": [
{
"id": "7ea9e944-71ce-443d-811c-71e8047b557a",
"displayName": "Microsoft Graph",
"appId": "00000003-0000-0000-c000-000000000000",
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"description": "Allows the app to read user profiles without a signed in user.",
"displayName": "Read all users' full profiles",
"id": "df021288-bdef-4463-88db-98f22de89214",
"isEnabled": true,
"origin": "Application",
"value": "User.Read.All"
}
]
}
]
}
Step 2: Grant an app role to a client service principal
In this step, you grant your app an app role that's exposed by Microsoft Graph, resulting in an app role assignment. From Step 1, the object ID of Microsoft Graph is 7ea9e944-71ce-443d-811c-71e8047b557a and the app role User.Read.All is identified by ID df021288-bdef-4463-88db-98f22de89214.
Request
The following request grants your client app (the principal of ID b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94) an app role of ID df021288-bdef-4463-88db-98f22de89214 that's exposed by a resource service principal of ID 7ea9e944-71ce-443d-811c-71e8047b557a.
Note
If you're using the Python SDK, import the following libraries:
from msgraph.generated.models.app_role_assignment import AppRoleAssignment
from msgraph.generated.models.service_principal import ServicePrincipal
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new AppRoleAssignment
{
PrincipalId = Guid.Parse("b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94"),
ResourceId = Guid.Parse("7ea9e944-71ce-443d-811c-71e8047b557a"),
AppRoleId = Guid.Parse("df021288-bdef-4463-88db-98f22de89214"),
};
// To initialize your graphClient, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].AppRoleAssignedTo.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
"github.com/google/uuid"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewAppRoleAssignment()
principalId := uuid.MustParse("b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94")
requestBody.SetPrincipalId(&principalId)
resourceId := uuid.MustParse("7ea9e944-71ce-443d-811c-71e8047b557a")
requestBody.SetResourceId(&resourceId)
appRoleId := uuid.MustParse("df021288-bdef-4463-88db-98f22de89214")
requestBody.SetAppRoleId(&appRoleId)
// To initialize your graphClient, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=go
appRoleAssignedTo, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").AppRoleAssignedTo().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AppRoleAssignment appRoleAssignment = new AppRoleAssignment();
appRoleAssignment.setPrincipalId(UUID.fromString("b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94"));
appRoleAssignment.setResourceId(UUID.fromString("7ea9e944-71ce-443d-811c-71e8047b557a"));
appRoleAssignment.setAppRoleId(UUID.fromString("df021288-bdef-4463-88db-98f22de89214"));
AppRoleAssignment result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").appRoleAssignedTo().post(appRoleAssignment);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\AppRoleAssignment;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new AppRoleAssignment();
$requestBody->setPrincipalId('b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94');
$requestBody->setResourceId('7ea9e944-71ce-443d-811c-71e8047b557a');
$requestBody->setAppRoleId('df021288-bdef-4463-88db-98f22de89214');
$result = $graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->appRoleAssignedTo()->post($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.app_role_assignment import AppRoleAssignment
# To initialize your graph_client, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = AppRoleAssignment(
principal_id = UUID("b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94"),
resource_id = UUID("7ea9e944-71ce-443d-811c-71e8047b557a"),
app_role_id = UUID("df021288-bdef-4463-88db-98f22de89214"),
)
result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').app_role_assigned_to.post(request_body)
GET https://graph.microsoft.com/v1.0/servicePrincipals/7ea9e944-71ce-443d-811c-71e8047b557a/appRoleAssignedTo
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals["{servicePrincipal-id}"].AppRoleAssignedTo.GetAsync();
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
//other-imports
)
// To initialize your graphClient, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=go
appRoleAssignedTo, err := graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").AppRoleAssignedTo().Get(context.Background(), nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
AppRoleAssignmentCollectionResponse result = graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").appRoleAssignedTo().get();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=python
result = await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').app_role_assigned_to.get()
The response object includes a collection of app role assignments to your resource service principal and includes the app role assignment you created in the preceding request.
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.ServicePrincipals["{servicePrincipal-id}"].AppRoleAssignedTo["{appRoleAssignment-id}"].DeleteAsync();
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
//other-imports
)
// To initialize your graphClient, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=go
graphClient.ServicePrincipals().ByServicePrincipalId("servicePrincipal-id").AppRoleAssignedTo().ByAppRoleAssignmentId("appRoleAssignment-id").Delete(context.Background(), nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
graphClient.servicePrincipals().byServicePrincipalId("{servicePrincipal-id}").appRoleAssignedTo().byAppRoleAssignmentId("{appRoleAssignment-id}").delete();
<?php
use Microsoft\Graph\GraphServiceClient;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$graphServiceClient->servicePrincipals()->byServicePrincipalId('servicePrincipal-id')->appRoleAssignedTo()->byAppRoleAssignmentId('appRoleAssignment-id')->delete()->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=python
await graph_client.service_principals.by_service_principal_id('servicePrincipal-id').app_role_assigned_to.by_app_role_assignment_id('appRoleAssignment-id').delete()
You learned how to manage app role grants for a service principal. This method of granting permissions using Microsoft Graph is an alternative interactive consent and should be used with caution.
In this article, you learn how to grant and revoke delegated permissions for an app using Microsoft Graph. Delegated permissions, also called scopes, or OAuth2 permissions, allow an app to call an API on behalf of a signed-in user. Learn more about delegated permissions.
Caution
Be careful! Permissions granted programmatically are not subject to review or confirmation. They take effect immediately.
Prerequisites
To complete these instructions, you need the following resources and privileges:
A valid Microsoft Entra tenant.
You run the requests in this article as a user. You must complete the following steps:
Sign in to an API client such as Graph Explorer as a user with the Cloud Application Administrator Microsoft Entra role, which is the least privilege role for creating applications and granting consent to delegated permissions in the tenant. The privileges to create permission grants might be limited or controlled in your tenant through admin-configured app consent policies.
In the app you're signed in to, consent to the Application.Read.All, DelegatedPermissionGrant.ReadWrite.All delegated permissions on behalf of the signed-in user. You don't need to consent on behalf of your organization.
Get the object ID of the client service principal to which you grant delegated permissions on behalf of a user. In this article, the client service principal is identified by ID b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94. In the Microsoft Entra admin center, expand the Identity menu > expand Applications > select Enterprise applications > App applications to find the client service principal. Select it and on the Overview page, copy the Object ID value.
Caution
Apps that have been granted the DelegatedPermissionGrant.ReadWrite.All permission should only be accessed by appropriate users.
Step 1: Get the delegated permissions of the resource service principal
Before you can grant delegated permissions, you must first identify the resource service principal that exposes the delegated permissions you want to grant. Delegated permissions are defined in the oauth2PermissionScopes object of a service principal. In this article, you use the Microsoft Graph service principal in your tenant as the resource service principal.
Request
The following request retrieves the delegated permissions defined by the Microsoft Graph service principal in the tenant.
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=displayName eq 'Microsoft Graph'&$select=id,displayName,appId,oauth2PermissionScopes
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.ServicePrincipals.GetAsync((requestConfiguration) =>
{
requestConfiguration.QueryParameters.Filter = "displayName eq 'Microsoft Graph'";
requestConfiguration.QueryParameters.Select = new string []{ "id","displayName","appId","oauth2PermissionScopes" };
});
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphserviceprincipals "github.com/microsoftgraph/msgraph-sdk-go/serviceprincipals"
//other-imports
)
requestFilter := "displayName eq 'Microsoft Graph'"
requestParameters := &graphserviceprincipals.ServicePrincipalsRequestBuilderGetQueryParameters{
Filter: &requestFilter,
Select: [] string {"id","displayName","appId","oauth2PermissionScopes"},
}
configuration := &graphserviceprincipals.ServicePrincipalsRequestBuilderGetRequestConfiguration{
QueryParameters: requestParameters,
}
// To initialize your graphClient, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=go
servicePrincipals, err := graphClient.ServicePrincipals().Get(context.Background(), configuration)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
ServicePrincipalCollectionResponse result = graphClient.servicePrincipals().get(requestConfiguration -> {
requestConfiguration.queryParameters.filter = "displayName eq 'Microsoft Graph'";
requestConfiguration.queryParameters.select = new String []{"id", "displayName", "appId", "oauth2PermissionScopes"};
});
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.service_principals.service_principals_request_builder import ServicePrincipalsRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration
# To initialize your graph_client, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=python
query_params = ServicePrincipalsRequestBuilder.ServicePrincipalsRequestBuilderGetQueryParameters(
filter = "displayName eq 'Microsoft Graph'",
select = ["id","displayName","appId","oauth2PermissionScopes"],
)
request_configuration = RequestConfiguration(
query_parameters = query_params,
)
result = await graph_client.service_principals.get(request_configuration = request_configuration)
Note: The response object shown here might be shortened for readability.
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals(id,displayName,appId,oauth2PermissionScopes)",
"value": [
{
"id": "7ea9e944-71ce-443d-811c-71e8047b557a",
"displayName": "Microsoft Graph",
"appId": "00000003-0000-0000-c000-000000000000",
"oauth2PermissionScopes": [
{
"adminConsentDescription": "Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.",
"adminConsentDisplayName": "Read all users' full profiles",
"id": "a154be20-db9c-4678-8ab7-66f6cc099a59",
"isEnabled": true,
"type": "Admin",
"userConsentDescription": "Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on your behalf.",
"userConsentDisplayName": "Read all users' full profiles",
"value": "User.Read.All"
},
{
"adminConsentDescription": "Allows the app to list groups, and to read their properties and all group memberships on behalf of the signed-in user. Also allows the app to read calendar, conversations, files, and other group content for all groups the signed-in user can access. ",
"adminConsentDisplayName": "Read all groups",
"id": "5f8c59db-677d-491f-a6b8-5f174b11ec1d",
"isEnabled": true,
"type": "Admin",
"userConsentDescription": "Allows the app to list groups, and to read their properties and all group memberships on your behalf. Also allows the app to read calendar, conversations, files, and other group content for all groups you can access. ",
"userConsentDisplayName": "Read all groups",
"value": "Group.Read.All"
}
]
}
]
}
Step 2: Grant a delegated permission to the client service principal on behalf of a user
Request
In this step, you grant your app, on behalf of a user, a delegated permission that's exposed by Microsoft Graph, resulting in a delegated permission grant.
From Step 1, the object ID of Microsoft Graph in the tenant is 7ea9e944-71ce-443d-811c-71e8047b557a
The delegated permissions User.Read.All and Group.Read.All are identified by the globally unique IDs a154be20-db9c-4678-8ab7-66f6cc099a59 and 5f8c59db-677d-491f-a6b8-5f174b11ec1d respectively.
The principal is a user identified by ID 3fbd929d-8c56-4462-851e-0eb9a7b3a2a5.
The client service principal is identified by ID b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94. This is the object id of the service principal and not its appId.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new OAuth2PermissionGrant
{
ClientId = "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94",
ConsentType = "Principal",
ResourceId = "7ea9e944-71ce-443d-811c-71e8047b557a",
PrincipalId = "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5",
Scope = "User.Read.All Group.Read.All",
};
// To initialize your graphClient, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Oauth2PermissionGrants.PostAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewOAuth2PermissionGrant()
clientId := "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94"
requestBody.SetClientId(&clientId)
consentType := "Principal"
requestBody.SetConsentType(&consentType)
resourceId := "7ea9e944-71ce-443d-811c-71e8047b557a"
requestBody.SetResourceId(&resourceId)
principalId := "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5"
requestBody.SetPrincipalId(&principalId)
scope := "User.Read.All Group.Read.All"
requestBody.SetScope(&scope)
// To initialize your graphClient, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=go
oauth2PermissionGrants, err := graphClient.Oauth2PermissionGrants().Post(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
OAuth2PermissionGrant oAuth2PermissionGrant = new OAuth2PermissionGrant();
oAuth2PermissionGrant.setClientId("b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94");
oAuth2PermissionGrant.setConsentType("Principal");
oAuth2PermissionGrant.setResourceId("7ea9e944-71ce-443d-811c-71e8047b557a");
oAuth2PermissionGrant.setPrincipalId("3fbd929d-8c56-4462-851e-0eb9a7b3a2a5");
oAuth2PermissionGrant.setScope("User.Read.All Group.Read.All");
OAuth2PermissionGrant result = graphClient.oauth2PermissionGrants().post(oAuth2PermissionGrant);
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.o_auth2_permission_grant import OAuth2PermissionGrant
# To initialize your graph_client, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = OAuth2PermissionGrant(
client_id = "b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94",
consent_type = "Principal",
resource_id = "7ea9e944-71ce-443d-811c-71e8047b557a",
principal_id = "3fbd929d-8c56-4462-851e-0eb9a7b3a2a5",
scope = "User.Read.All Group.Read.All",
)
result = await graph_client.oauth2_permission_grants.post(request_body)
While the preceding request grants consent on behalf of a single user, you can choose to grant consent on behalf of all users in the tenant. The request body is similar to the previous request body except with the following changes:
The consentType is AllPrincipals, indicating that you're consenting on behalf of all users in the tenant.
The principalId property isn't supplied or can be null.
An example request body for granting consent on behalf all users is as follows:
GET https://graph.microsoft.com/v1.0/oauth2PermissionGrants?$filter=clientId eq 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94' and principalId eq '3fbd929d-8c56-4462-851e-0eb9a7b3a2a5' and consentType eq 'Principal'
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Oauth2PermissionGrants.GetAsync((requestConfiguration) =>
{
requestConfiguration.QueryParameters.Filter = "clientId eq 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94' and principalId eq '3fbd929d-8c56-4462-851e-0eb9a7b3a2a5' and consentType eq 'Principal'";
});
mgc oauth2-permission-grants list --filter "clientId eq 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94' and principalId eq '3fbd929d-8c56-4462-851e-0eb9a7b3a2a5' and consentType eq 'Principal'"
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphoauth2permissiongrants "github.com/microsoftgraph/msgraph-sdk-go/oauth2permissiongrants"
//other-imports
)
requestFilter := "clientId eq 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94' and principalId eq '3fbd929d-8c56-4462-851e-0eb9a7b3a2a5' and consentType eq 'Principal'"
requestParameters := &graphoauth2permissiongrants.Oauth2PermissionGrantsRequestBuilderGetQueryParameters{
Filter: &requestFilter,
}
configuration := &graphoauth2permissiongrants.Oauth2PermissionGrantsRequestBuilderGetRequestConfiguration{
QueryParameters: requestParameters,
}
// To initialize your graphClient, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=go
oauth2PermissionGrants, err := graphClient.Oauth2PermissionGrants().Get(context.Background(), configuration)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
OAuth2PermissionGrantCollectionResponse result = graphClient.oauth2PermissionGrants().get(requestConfiguration -> {
requestConfiguration.queryParameters.filter = "clientId eq 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94' and principalId eq '3fbd929d-8c56-4462-851e-0eb9a7b3a2a5' and consentType eq 'Principal'";
});
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.oauth2_permission_grants.oauth2_permission_grants_request_builder import Oauth2PermissionGrantsRequestBuilder
from kiota_abstractions.base_request_configuration import RequestConfiguration
# To initialize your graph_client, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=python
query_params = Oauth2PermissionGrantsRequestBuilder.Oauth2PermissionGrantsRequestBuilderGetQueryParameters(
filter = "clientId eq 'b0d9b9e3-0ecf-4bfd-8dab-9273dd055a94' and principalId eq '3fbd929d-8c56-4462-851e-0eb9a7b3a2a5' and consentType eq 'Principal'",
)
request_configuration = RequestConfiguration(
query_parameters = query_params,
)
result = await graph_client.oauth2_permission_grants.get(request_configuration = request_configuration)
Step 3: Revoke delegated permissions granted to a service principal on behalf of a user [Optional]
If a service principal has been granted multiple delegated permission grants on behalf of a user, you can choose to revoke either specific grants or all grants. Use this method to remove and revoke consent for the delegated permissions that you assigned to the client service principal.
To revoke one or some grants, run a PATCH request on the oauth2PermissionGrant object and specify only the delegated permissions to retain in the scope parameter.
To revoke all grants, run a DELETE request on the oauth2PermissionGrant object.
Request
The following request revokes all permission grants and retains only the User.Read.All permission grant. The permissions are removed and the consent that was previously granted is revoked.
// Code snippets are only available for the latest version. Current version is 5.x
// Dependencies
using Microsoft.Graph.Models;
var requestBody = new OAuth2PermissionGrant
{
Scope = "User.Read.All",
};
// To initialize your graphClient, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
var result = await graphClient.Oauth2PermissionGrants["{oAuth2PermissionGrant-id}"].PatchAsync(requestBody);
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
graphmodels "github.com/microsoftgraph/msgraph-sdk-go/models"
//other-imports
)
requestBody := graphmodels.NewOAuth2PermissionGrant()
scope := "User.Read.All"
requestBody.SetScope(&scope)
// To initialize your graphClient, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=go
oauth2PermissionGrants, err := graphClient.Oauth2PermissionGrants().ByOAuth2PermissionGrantId("oAuth2PermissionGrant-id").Patch(context.Background(), requestBody, nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
OAuth2PermissionGrant oAuth2PermissionGrant = new OAuth2PermissionGrant();
oAuth2PermissionGrant.setScope("User.Read.All");
OAuth2PermissionGrant result = graphClient.oauth2PermissionGrants().byOAuth2PermissionGrantId("{oAuth2PermissionGrant-id}").patch(oAuth2PermissionGrant);
<?php
use Microsoft\Graph\GraphServiceClient;
use Microsoft\Graph\Generated\Models\OAuth2PermissionGrant;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$requestBody = new OAuth2PermissionGrant();
$requestBody->setScope('User.Read.All');
$result = $graphServiceClient->oauth2PermissionGrants()->byOAuth2PermissionGrantId('oAuth2PermissionGrant-id')->patch($requestBody)->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
from msgraph.generated.models.o_auth2_permission_grant import OAuth2PermissionGrant
# To initialize your graph_client, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=python
request_body = OAuth2PermissionGrant(
scope = "User.Read.All",
)
result = await graph_client.oauth2_permission_grants.by_o_auth2_permission_grant_id('oAuth2PermissionGrant-id').patch(request_body)
// Code snippets are only available for the latest version. Current version is 5.x
// To initialize your graphClient, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=csharp
await graphClient.Oauth2PermissionGrants["{oAuth2PermissionGrant-id}"].DeleteAsync();
// Code snippets are only available for the latest major version. Current major version is $v1.*
// Dependencies
import (
"context"
msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
//other-imports
)
// To initialize your graphClient, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=go
graphClient.Oauth2PermissionGrants().ByOAuth2PermissionGrantId("oAuth2PermissionGrant-id").Delete(context.Background(), nil)
// Code snippets are only available for the latest version. Current version is 6.x
GraphServiceClient graphClient = new GraphServiceClient(requestAdapter);
graphClient.oauth2PermissionGrants().byOAuth2PermissionGrantId("{oAuth2PermissionGrant-id}").delete();
<?php
use Microsoft\Graph\GraphServiceClient;
$graphServiceClient = new GraphServiceClient($tokenRequestContext, $scopes);
$graphServiceClient->oauth2PermissionGrants()->byOAuth2PermissionGrantId('oAuth2PermissionGrant-id')->delete()->wait();
# Code snippets are only available for the latest version. Current version is 1.x
from msgraph import GraphServiceClient
# To initialize your graph_client, see https://zcusa.951200.xyz/en-us/graph/sdks/create-client?from=snippets&tabs=python
await graph_client.oauth2_permission_grants.by_o_auth2_permission_grant_id('oAuth2PermissionGrant-id').delete()
You granted delegated permissions (or scopes) to a service principal. This method of granting permissions using Microsoft Graph is an alternative to interactive consent and should be used with caution.