Reputation: 11
How to revoke consent for a registered app programmatically?
I have a very simple application where users can sync their calendars and also receive new events directly into the calendar. I acquire "Calendars.ReadWrite, offline_access, User.Read" delegated permissions interactively.
When the users decide to stop using my application, they can "unlink" and I will drop all the events, hooks, etc. What I am trying to achieve is that my third-party app would also disappear from the list of apps presented here: https://account.live.com/consent/Manage. In other words, a complete cleanup, revoking any access permissions, dropping all tokens, etc.
I've been struggling with this issue for days. Tried many different endpoints and mostly got back cryptic errors only. Overall, zero progress. I am running out of ideas about what I can do with revokeSignInSessions and oAuth2PermissionGrant; it seems like I tried everything and nothing worked. So, I really hope that someone here can help me out.
It seems a very basic scenario. Google Calendar has a simple endpoint that can do exactly that: https://oauth2.googleapis.com/revoke?token=. What am I missing? How can I do that? It must be a common requirement, no?
Thanks for reading this post! Any help is appreciated. Regards,
Upvotes: 1
Views: 592
Answers (1)
Reputation: 6859
Assume you have an app registration named Revoke Demo that requests the permissions you list in your question.
The note at the bottom of screen capture tells you that you can see consented permissions by going to Enterprise applications. If you search for Revoke Demo in the Entra ID Enterprise applications, you'd find the page associated with the app registration. Note where you can find the Object ID for the Enterprise application, you'll need it later.
If you expand Security and select Permissions in the left navigation, and then select the User consent tab, you can see the permissions that have been granted for this application.
You can get the same information using Microsoft Graph by making a GET request to https://graph.microsoft.com/v1.0/servicePrincipals/{id}/oauth2PermissionGrants where the id is the Object ID of the Enterprise application.
Note, in my demo only one user had consented permission for the application so there is only one oAuth2PermissionGrant object returned. If multiple users had consented permissions then there would be one object per user. You can determine which user the oAuth2PermissionGrant object applies to using the value of the principalId property.
To revoke permissions, issue a DELETE request to https://graph.microsoft.com/v1.0/oAuth2PermissionGrants/{id} where the id is the id of the the appropriate oAuth2PermissionGrant object returned from the previous request.
You can then use the Microsoft Graph or the Enterprise application page in the Azure portal to confirm that the permissions have been revoked.
Please note the permissions required to perform these requests. This screen capture is taken from the documentation linked below.
For more information, see Review permissions granted to enterprise applications and select the Microsoft Graph option at the top of the page.
Upvotes: 0
Related Questions
- 403 error access denied even with correct perissions using Microsoft Graph api with the PHP SDK when accessing calendar events
- Microsoft Graph - Access Deneined when accessing to calendar events with specifiying user
- How to list events on Outlook group calendar
- Microsoft graph - adding an event to default calendar gives back "Resource could not be discovered." error
- How to subscribe to MS Graph calendar (not calendar event) change notifications, i.e new calendar created/deleted etc?
- Better way to access Outlook Calendar without UI in a background application
- MS Graph 401 .. claims in token?
- Create Subscription for Room Calendar By Delegated User