![]() Imagine how much WORSE it gets if permissions were consented tenant wide, rather than to an individual user? This means that if the user account with these permissions to the Graph is compromised then that attacker has access to the Microsoft Graph and potentially lots of sensitive areas in a tenant, especially if the permissions have been added to over time. The issue is that even after you disconnect from the Microsoft Graph, having completed any scripting, those consented permissions remain in place i.e. If you select the option This application has more permissions that I want and basically told to use PowerShell to revoke all permissions for this application as well as being provided with the code to do so. ![]() If you select Review permissions menu option you’ll see a item displayed from the right as shown above. If you select any of these hyperlinks, you’ll see a list of users, on the right, that have been assigned this permission appear on the right as shown above.Ĭan you see the problem yet? No? Well…….how do you REMOVE or revoke a permission here?įrom what I can determine, you can’t remove the permissions via the portal. The right hand most column in this display, Grant by, has a hyperlink to show the number of users with this assigned permission. This list of permissions matches those consented to when connecting to the Microsoft Graph. On the right you’ll then be able to select either Admin consent or User consent.īecause the permissions assigned were only for a single user, the User consent item will show these to us as shown above. Then on the right, locate and select Microsoft Graph PowerShell as shown.įrom the screen that now appears, select Permissions from the menu on the left as shown. From here, select Enterprise applications from the menu on the left.įrom the screen that appears ensure All applications is select from the menu on the left. You’ll find them by opening the Azure Portal and navigating to Azure Active Directory as shown above. With security in mind, I went to have a look at where these permissions just consented to actually appear. You can now happily go off and perform whatever actions you need to using PowerShell for the Microsoft Graph. However, be very, very careful consenting for the whole organization as I will illustrate. However, if you check the Consent in behalf of your organization option you’ll be providing these permissions to ALL users in your tenant! For now, only consent will be granted for the current user. If you simply select Accept here, you are just consenting for the current user. This allows you to only provide permissions for exactly what you need.ĭuring the connection process you’ll be asked to consent to the permissions just requested, as shown above. The scope is in effect the permissions the current user will be given when they connect to the Microsoft Graph. Thus, in this case, the scope will be and. The second thing to note is that you can specific the scope with which you to connect. ![]() First thing to remember is that this process can’t be completed in the Power ISE, you’ll need to do it elsewhere (here, using Windows terminal). After installing the appropriate PowerShell modules you can connect to the Microsoft Graph with PowerShell using the command:Īs shown above.
0 Comments
Leave a Reply. |