adds new script for administrator's reference regarding OAuth2 permission grants in Entra ID #6536
Conversation
…ion grants in Entra ID
…estrini/cli-microsoft365 into sample-new-entra-oauth2grant
|
Thank you @tmaestrini, could you also link the related issue to this PR? |
|
Hey @milanholemans, thanks for getting back to me! It looks like you're always on the go! 😃 That's so cool! 👍 |
|
Since we handle the principle of 1 issue = 1PR, could you create an issue for the completeness? |
tmaestrini
changed the title
|
Hey @milanholemans, sorry I missed that. See reference to issue in description field above. |
There was a problem hiding this comment.
Hi @tmaestrini, my swiss, italian friend 🥂 I really love this sample, well done! I do have some comments to dot the t's and cross the i's. (or was that the other way around 😅) But anyway, let's look at some comments before we merge this!
docs/docs/sample-scripts/entra/entra-remove-oauth2-permission-grants/index.mdx
Outdated
Show resolved
Hide resolved
docs/docs/sample-scripts/entra/entra-remove-oauth2-permission-grants/index.mdx
Outdated
Show resolved
Hide resolved
docs/docs/sample-scripts/entra/entra-remove-oauth2-permission-grants/index.mdx
Outdated
Show resolved
Hide resolved
docs/docs/sample-scripts/entra/entra-remove-oauth2-permission-grants/index.mdx
Outdated
Show resolved
Hide resolved
docs/docs/sample-scripts/entra/entra-remove-oauth2-permission-grants/index.mdx
Outdated
Show resolved
Hide resolved
docs/docs/sample-scripts/entra/entra-remove-oauth2-permission-grants/index.mdx
Outdated
Show resolved
Hide resolved
docs/docs/sample-scripts/entra/entra-remove-oauth2-permission-grants/index.mdx
Outdated
Show resolved
Hide resolved
docs/docs/sample-scripts/entra/entra-remove-oauth2-permission-grants/assets/sample.json
Outdated
Show resolved
Hide resolved
docs/docs/sample-scripts/entra/entra-remove-oauth2-permission-grants/assets/sample.json
Outdated
Show resolved
Hide resolved
docs/docs/sample-scripts/entra/entra-remove-oauth2-permission-grants/assets/sample.json
Outdated
Show resolved
Hide resolved
|
@martinlingstuyl Muchas gracias, amigo! 🙌 Happy New Years 🥂 – and thank you very much for the review. Great balls of fire! |
There was a problem hiding this comment.
OK @tmaestrini, some last really small comments from my side. Let's fix those before we merge it. Very nice work!
| "updateDateTime": "2024-12-25", | ||
| "shortDescription": "Find and remove all OAuth2 permission grants that have been assigned to a specific enterprise application (or service principal).", | ||
| "longDescription": [ | ||
| "Find and remove all OAuth2 permissions assigned to a specific enterprise application by selecting one of the following removal options: **All permissions** / Permissions granted **by an administrator** / Permissions granted **to users**." |
There was a problem hiding this comment.
I'd suggest rephrasing this slightly:
| "Find and remove all OAuth2 permissions assigned to a specific enterprise application by selecting one of the following removal options: **All permissions** / Permissions granted **by an administrator** / Permissions granted **to users**." | |
| "Find and remove all OAuth2 permissions assigned to a specific enterprise application by selecting one of the following removal options: **All permissions** / Permissions granted **by an administrator** / Permissions consented to **by users**." |
|
|
||
| Author: [Tobias Maestrini](https://github.com/tmaestrini) | ||
|
|
||
| From an administrator's perspective, managing OAuth2 permission grants that have been assigned to an enterprise application (used in a multi-tenant app or your own app registration) can be a challenging task. |
There was a problem hiding this comment.
Let's swap them around (that's just a feeling, feel free to ignore) and slightly rephrase.
| From an administrator's perspective, managing OAuth2 permission grants that have been assigned to an enterprise application (used in a multi-tenant app or your own app registration) can be a challenging task. | |
| From an administrator's perspective, managing OAuth2 permission grants that have been assigned to an enterprise application (based on an app registration or a multi-tenant app) can be a challenging task. |
| Removes OAuth2 permission grants in a specific enterprise application (or service principal) in Entra ID. | ||
|
|
||
| .DESCRIPTION | ||
| Find and remove all OAuth2 permissions assigned to a specific enterprise application by selecting one of the following removal options: **All permissions** / Permissions granted **by an administrator** / Permissions granted **to users**. |
There was a problem hiding this comment.
| Find and remove all OAuth2 permissions assigned to a specific enterprise application by selecting one of the following removal options: **All permissions** / Permissions granted **by an administrator** / Permissions granted **to users**. | |
| Find and remove all OAuth2 permissions assigned to a specific enterprise application by selecting one of the following removal options: **All permissions** / Permissions granted **by an administrator** / Permissions consented to **by users**. |
| - User must have appropriate permissions in Entra ID to manage OAuth2 permission grants (e.g. Global Admin) | ||
|
|
||
| .LINK | ||
| https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/manage-application-permissions |
There was a problem hiding this comment.
| https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/manage-application-permissions | |
| https://learn.microsoft.com/azure/active-directory/manage-apps/manage-application-permissions |
|
|
||
| .NOTES | ||
| Prerequisites: | ||
| - Microsoft 365 CLI (m365) must be installed and configured |
There was a problem hiding this comment.
| - Microsoft 365 CLI (m365) must be installed and configured | |
| - CLI for Microsoft 365 (m365) must be installed and configured |
| .NOTES | ||
| Prerequisites: | ||
| - Microsoft 365 CLI (m365) must be installed and configured | ||
| - User must have appropriate permissions in Entra ID to manage OAuth2 permission grants (e.g. Global Admin) |
There was a problem hiding this comment.
I think the role "Cloud Application Administrator" can also be used. Let's mention that one as well to show you dont always need god mode.
And let's add one extra prerequisite:
- The Entra app registration used to sign into the CLI for Microsoft 365 must have an appropriate permission scope to manage permissions of other apps (e.g. Directory.ReadWrite.All).
You could also try to find out the least permissive scope to use here. I don't know it by heart, but Directory.ReadWrite.All is a bit massive for this.
| function Remove-PermissionsGrants { | ||
| param( | ||
| [Parameter(Mandatory = $true)] | ||
| [string]$enterpriseAppName, |
There was a problem hiding this comment.
Let's capitalize this one, just like GrantType.
| [string]$enterpriseAppName, | |
| [string]$EnterpriseAppName, |
You could also rename it to AppDisplayName. It's not really important here that it is called an 'enterprise' application.
Closes #6537