How to remove OAuth2 permission grants using Microsoft Graph PowerShell

The Remove-MgOauth2PermissionGrant cmdlet allows admins to revoke OAuth2 permission grants from applications and service principals in Microsoft Entra ID (Azure AD). These grants define the delegated permissions that a client application has to access resources on behalf of a signed-in user. By removing unnecessary or outdated permission grants, admins can reduce the attack surface, enforce least-privilege access, and maintain tighter security over application-to-resource interactions. This cmdlet is especially useful when decommissioning applications, revoking risky permissions, or cleaning up unused authorizations.

This article shows you how to remove OAuth2 permission grants using both the Microsoft Entra admin center and Microsoft Graph PowerShell:

Remove OAuth2 permission grants using Microsoft Graph PowerShell

Prerequisites

• You need the AppRoleAssignment.ReadWrite.All permission or an equivalent privileged role in Microsoft Entra ID.
• Install and connect to Microsoft Graph PowerShell by running the script below:
  Copy Install-Module Microsoft.Graph -Scope CurrentUser Connect-MgGraph -Scopes "AppRoleAssignment.ReadWrite.All"

Using the Remove-MgOauth2PermissionGrant cmdlet

Run the script below the grant’s unique object ID to revoke it from the tenant:

Examples

Example 1: Remove a specific OAuth2 permission grant

Example 2: Remove a grant with confirmation

Example 3: Test removal with WhatIf

Supported parameters

The following are some essential parameters that can be used along with the Remove-MgOauth2PermissionGrant cmdlet:

Limitations of using native tools to Remove OAuth2 permission grants

• PowerShell commands can get complex with different use cases and scenarios.
• IT admins can spend a lot of time troubleshooting errors, which negatively impacts productivity.
• Delegation can get tricky since technicians require elevated permissions.