cli-microsoft365 icon indicating copy to clipboard operation
cli-microsoft365 copied to clipboard
verified publisher icon pnp

New command 'entra enterpriseapp permission remove' - Remove an app-only or delegated permissions from an enterprise application

Open martinlingstuyl opened this issue 2 years ago • 2 comments

We currently have the following commands that cover removing permissions from an enterprise application / service principal:

This issue is for adding the same functionality in a more consistent way, that can in some time replace the oauthgrant and approleassignment commands.

We're also implementing a rename of entra serviceprincipal verb, which is why we're adding this in the correct command group right from the start.

Usage

m365 entra enterpriseapp permission remove [options]

Description

Removes the specified application and/or delegated permissions from a specified Entra enterprise application

Options

Option Description
-i, --appId [appId] Client ID of the Entra enterprise app to remove the API permissions from. Specify either appId, appName or appObjectId.
--appObjectId [appObjectId] Object ID of the Entra enterprise app to remove the API permissions from. Specify either appId, appName or appObjectId.
-n, --appName [appName] Display name of the Entra enterprise app to remove the API permissions for. Specify either appId, appName or appObjectId.
-a, --applicationPermissions [applicationPermissions] Space-separated list of application permissions to remove. Specify at least applicationPermissions or delegatedPermissions.
-d, --delegatedPermissions [delegatedPermissions] Space-separated list of delegated permissions to remove. Specify at least applicationPermissions or delegatedPermissions.

Remarks

Scopes/Roles to grant must be fully-qualified so that we can disambiguate them between the different resources.

Examples

Remove multiple delegated API permissions from an AAD app registration

m365 entra enterpriseapp permission remove --appId 'f1417aa3-bf0b-4cc5-a845-a0b2cf11f690' --delegatedPermissions 'https://management.azure.com/user_impersonation https://service.flow.microsoft.com/Flows.Read.All https://graph.microsoft.com/Agreement.Read.All'

Remove multiple app-only permissions from an AAD app registration and revoke admin consent

m365 entra enterpriseapp permission remove --appId 'f1417aa3-bf0b-4cc5-a845-a0b2cf11f690' --applicationPermissions 'https://graph.microsoft.com/Sites.FullControl.All https://microsoft.sharepoint-df.com/Sites.FullControl.All' --revokeAdminConsent

Additional information

If multiple apps with the same name exist, the CLI should show a disambiguation prompt to let the user choose.

martinlingstuyl avatar Jan 16 '24 11:01 martinlingstuyl

Let's open this up if no one has additional comments...

martinlingstuyl avatar Mar 31 '24 12:03 martinlingstuyl

LGTM. The new command brings a lot more clarity than the once we already have 👍. Some small comments from my side:

  • we are missing the force option since this is a remove type commnad
  • usually, we do comma-separated not space-separated lists right? why change?

Adam-it avatar Apr 05 '24 22:04 Adam-it