Remove AzureADServiceAppRoleAssignment through Custom Action?

Discussions and examples of Custom Actions and how to use PowerShell to create custom actions.
Post Reply
Next365
Posts: 2
Joined: Fri Oct 30, 2020 1:17 pm

Remove AzureADServiceAppRoleAssignment through Custom Action?

Post by Next365 »

We have a series of Apps registered on our Azure AD with various consent.
Form Microsoft portal there is no way to easily remove single App (User can be done) consent.

Is it possible to achieve this through a Custom Action?
Carmine
Posts: 1
Joined: Wed Oct 07, 2020 1:49 pm

Re: Remove AzureADServiceAppRoleAssignment through Custom Action?

Post by Carmine »

Hi Next365,

sure. We have created a Custom Action for this purpose

First, you have to identify the AppId. You can do it in few steps
  • Click on Azure Active Directory
  • Enterprise Applications and select which one you want to remove the consent
  • Copy the Object ID value
Then, create a new custom actions, selecting none as target and adding 3 inputs:
  • ApplicationObjectId as String
  • PermissionsToBeRemoved as String
  • ConsentCategory as String
Then, just copy and paste this script

Code: Select all

$application = Get-AzureADServicePrincipal -All:$true | Where-Object { $_.AppId -eq $ApplicationObjectId }
$permissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId $application.ObjectId -All $true
$consentIds = @()

foreach ( $permissionToRemoved in $PermissionsToBeRemoved.Split("|", [System.StringSplitOptions]::RemoveEmptyEntries)) {
    $valueGraph = (Get-AzureADServicePrincipal -filter "DisplayName eq $ConsentCategory").AppRoles | Where-object { $_.Value -eq $permissionToRemoved } | Select Id
    $consentIds += $valueGraph
}

foreach ( $i in $consentIds) {
    $objectId = $permissions | where-object { $_.Id -eq $i.Id } | Select-Object ObjectId
    if ( $null -ne $objectId) {
        Remove-AzureADServiceAppRoleAssignment -ObjectId $application.ObjectId -AppRoleAssignmentId $objectId.ObjectId
    }
}
That's all.

As example value you can use:

ApplicationObjectId = "APPLICATION_GUID"
PermissionsToBeRemoved = "SecurityActions.Read.All|IdentityRiskyUser.Read.All|"
ConsentCategory = "Microsoft Graph"

Thanks,
Carmine
Post Reply