Merge pull request #205346 from omondiatieno/add-msgraph-cmdlets

v-regandowner · web-flow · commit a859f24806c5 · 2022-07-22T12:05:40.000-04:00
add microsoft graph cmdlets
diff --git a/articles/active-directory/manage-apps/manage-application-permissions.md b/articles/active-directory/manage-apps/manage-application-permissions.md
@@ -11,7 +11,7 @@ ms.topic: how-to
 ms.date: 10/23/2021
 ms.author: jawoods
 ms.reviewer: phsignor
-
+zone_pivot_groups: enterprise-apps-minus-graph
 ms.collection: M365-identity-device-management
 
 #customer intent: As an admin, I want to review permissions granted to applications so that I can restrict suspicious or over privileged applications.
@@ -32,10 +32,11 @@ To review permissions granted to applications, you need:
 - One of the following roles: Global Administrator, Cloud Application Administrator, Application Administrator.
 - A Service principal owner who isn't an administrator is able to invalidate refresh tokens.
 
+## Review application permissions
 
-You can access the Azure AD portal to get contextual PowerShell scripts to perform the actions.
+:::zone pivot="portal"
 
-## Review application permissions
+You can access the Azure AD portal to get contextual PowerShell scripts to perform the actions.
 
 To review application permissions:
 
@@ -48,9 +49,11 @@ To review application permissions:
 
 Each option generates PowerShell scripts that enable you to control user access to the application and to review permissions granted to the application. For information about how to control user access to an application, see [How to remove a user's access to an application](methods-for-removing-user-access.md)
 
-## Revoke permissions using PowerShell commands
+:::zone-end
 
-Using the following PowerShell script revokes all permissions granted to this application.
+:::zone pivot="aad-powershell"
+
+Using the following Azure AD PowerShell script revokes all permissions granted to an application.
 
 ```powershell
 Connect-AzureAD
@@ -75,9 +78,6 @@ $spApplicationPermissions | ForEach-Object {
 }
 ```
 
-> [!NOTE]
-> Revoking the current granted permission won't stop users from re-consenting to the application. If you want to block users from consenting, read [Configure how users consent to applications](configure-user-consent.md).
-
 ## Invalidate the refresh tokens
 
 ```powershell
@@ -94,6 +94,51 @@ $assignments | ForEach-Object {
     Revoke-AzureADUserAllRefreshToken -ObjectId $_.PrincipalId
 }
 ```
+:::zone-end
+:::zone pivot="ms-powershell"
+
+Using the following Microsoft Graph PowerShell script revokes all permissions granted to an application.
+
+```powershell
+Connect-MgGraph
+
+# Get Service Principal using objectId
+$sp = Get-MgServicePrincipal -ServicePrincipalID "$ServicePrincipalID"
+
+Example: Get-MgServicePrincipal -ServicePrincipalId '22c1770d-30df-49e7-a763-f39d2ef9b369'
+
+# Get all application permissions for the service principal
+$spOAuth2PermissionsGrants= Get-MgOauth2PermissionGrant -All| Where-Object { $_.clientId -eq $sp.Id }
+
+# Remove all delegated permissions
+$spOauth2PermissionsGrants |ForEach-Object {
+  Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $_.Id
+  }
+``` 
+
+## Invalidate the refresh tokens
+
+```powershell
+Connect-MgGraph
+
+# Get Service Principal using objectId
+$sp = Get-MgServicePrincipal -ServicePrincipalID "$ServicePrincipalID"
+
+Example: Get-MgServicePrincipal -ServicePrincipalId '22c1770d-30df-49e7-a763-f39d2ef9b369'
+
+# Get Azure AD App role assignments using objectID of the Service Principal
+$spApplicationPermissions = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalID $sp.Id -All | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }
+  
+# Revoke refresh token for all users assigned to the application
+  $spApplicationPermissions | ForEach-Object {
+  Remove-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $_.PrincipalId -AppRoleAssignmentId $_.Id
+  }
+```
+
+:::zone-end
+
+> [!NOTE]
+> Revoking the current granted permission won't stop users from re-consenting to the application. If you want to block users from consenting, read [Configure how users consent to applications](configure-user-consent.md).
 
 ## Next steps
 
diff --git a/articles/zone-pivot-groups.yml b/articles/zone-pivot-groups.yml
@@ -1611,7 +1611,12 @@ groups:
     title: Basic/Standard tier
   - id: sc-enterprise-tier
     title: Enterprise tier
-# Owner: jomondi
+########### BEGIN APPLICATION MANAGEMENT
+# Service:       Active Directory (active-directory)
+# Sub-service:   APPLICATION MANAGEMENT(manage-apps)
+# Referenced by: /articles/active-directory/manage-apps/*
+# Owner(s):      jomondi, celested
+## Home realm discovery ##
 - id: home-realm-discovery
   title: hrd-policy
   prompt: Choose an option
@@ -1620,6 +1625,41 @@ groups:
     title: PowerShell
   - id: graph-hrd
     title: Graph
+## Generic how-to doc template
+- id: enterprise-apps
+  title: Manage Enterpise apps
+  prompt: Choose an option
+  pivots:
+  - id: portal
+    title: Azure Portal
+  - id: aad-PowerShell
+    title: Azure AD PowerShell
+  - id: ms-PowerShell
+    title: Microsoft Graph PowerShell
+  - id: ms-graph
+    title: Microsoft Graph
+## Generic how-to doc template without graph
+- id: enterprise-apps-minus-graph
+  title: Manage Enterpise apps
+  prompt: Choose an option
+  pivots:
+  - id: portal
+    title: Azure Portal
+  - id: aad-powershell
+    title: Azure AD PowerShell
+  - id: ms-powershell
+    title: Microsoft Graph PowerShell
+## Create service principal with appId
+- id: enterprise-apps-cli
+  title: Enterpise apps
+  prompt: Choose an option
+  pivots:
+  - id: msgraph-powershell
+    title: Microsoft graph PowerShell
+  - id: ms-graph
+    title: Microsoft Graph
+  - id: azure-cli
+    title: Azure CLI
 # Owner: juliakm
 - id: pipelines-version
   title: Pipelines version
