How to get service principal OAuth2 permission grants using Microsoft Graph PowerShell

The Get-MgServicePrincipalOauth2PermissionGrant cmdlet retrieves all OAuth2 delegated permission grants that have been assigned to a service principal in Microsoft Entra ID (formerly Azure AD). By running this cmdlet, admins can identify which permissions have been consented to, who consented to them, and whether the consent was granted tenant-wide or user level. This is beneficial for security reviews, compliance audits, and troubleshooting, as excessive or misconfigured permissions could introduce risks.

This article shows you how to view OAuth2 permission grants using both the Microsoft Entra admin center and Microsoft Graph PowerShell:

View OAuth2 permission grants using Microsoft Entra admin center

OAuth2 grants can be reviewed under each enterprise application's Permissions section.

1. Navigate to Microsoft Entra admin center.
2. Select Azure Active Directory > Enterprise applications.
3. Choose the application and look under Permissions.

Get OAuth2 permission grants using Microsoft Graph PowerShell

Prerequisites

Install Microsoft Graph module and connect with app role assignment read scope:

Using the Get-MgServicePrincipalOauth2PermissionGrant cmdlet

Run the command below with the service principal ID:

Examples

Example 1: List all OAuth2 permission grants

Example 2: Filter grants by specific resource

Example 3: Limit results to top five grants

Supported parameters

The following are some essential parameters that can be used along with the Get-MgServicePrincipalOauth2PermissionGrant cmdlet:

Limitations of using native tools to view OAuth2 permission grants

• PowerShell commands can get complex with different use cases and scenarios.
• IT admins can spend a lot of time troubleshooting errors, which in turn negatively impacts productivity.
• Delegation can get tricky since technicians require elevated permissions.