If, like me, you connect to either Azure Active Directory or Microsoft 365 using the Microsoft Graph PowerShell SDK, you may have hit the problem where you seem to have more permissions than you need and need help figuring out why you do.
The good news is this is a pretty easy thing to figure out. I started writing this post a while ago and then forgot I was writing it. I got reminded I needed to complete this by some questions I got about this very subject, so here it is 🙂
When you use “Connect-MgGraph” and pass scopes, you get prompted by the consent framework.
$scopes = @( "Policy.Read.All", "Policy.ReadWrite.ConditionalAccess", "Application.Read.All") Connect-MgGraph -Scopes $scopes
Once you consent for the connection, within Azure Active Directory, a new Enterprise application gets created called “Microsoft Graph PowerShell.”
The scopes passed get assigned to the application and used during the session.
Unfortunately, what happens next is quite normal; we don’t disconnect our connections like we should and leave everything as it was when we first connected. The next time you connect and use different scoped permissions, they get appended and when the connection completes checking the current context scopes results in extra permissions.
$scopes = @( "User.ReadWrite.All", "Group.ReadWrite.All", "GroupMember.ReadWrite.All") Connect-MgGraph -Scopes $scopes
By executing the “Get-MgContext | Select-Object -ExpandProperty Scopes” you can see the combined permissions.
As you can imagine, this causes issues with either too many or even too few permissions. If you look directly within Azure Active Directory at the “Microsoft Graph PowerShell” application, within the “Permissions” section, you will also see the combined permissions.
Resolving this problem is as simple as deleting the current Azure Active Directory application called “Microsoft Graph PowerShell.” To do this, you can also use PowerShell, using the “AzureAD” or “AzureADPreview” module. First, load the module, retrieve the ID and remove the application.
Import-Module AzureADPeview $appID = Get-AzureADServicePrincipal -SearchString "Microsoft Graph PowerShell" Remove-AzureADServicePrincipal -ObjectId $appID
You will have to wait a minute or so for it to disappear from the user interface completely; however, it deletes. Searching Azure Active Directory using the UI or PowerShell results on the Enterprise application not existing. The next time you connect and confirm the consent request, the application recreates with only the permissions specified within the scopes property.
Remember, you will only need to do this if you often change permissions. However, if you do, you may need to perform this task. If this is the case, I recommend manually creating an app registration, assigning the required permissions, and then using a certificate to connect. Also, remember that specific commands ONLY work with delegated permissions and not app-only permissions, so you may need to use ad-hoc assignments occasionally.