File this one under stupid error messages.
When you want to remove admin consented permissions, Azure AD portal gives the following script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
Connect-AzureAD # Get Service Principal using objectId $sp = Get-AzureADServicePrincipal -ObjectId "<replace>" # Get all delegated permissions for the service principal $spOAuth2PermissionsGrants = Get-AzureADOAuth2PermissionGrant -All $true| Where-Object { $_.clientId -eq $sp.ObjectId } # Remove all delegated permissions $spOAuth2PermissionsGrants | ForEach-Object { Remove-AzureADOAuth2PermissionGrant -ObjectId $_.ObjectId } # Get all application permissions for the service principal $spApplicationPermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId $sp.ObjectId -All $true | Where-Object { $_.PrincipalType -eq "ServicePrincipal" } # Remove all delegated permissions $spApplicationPermissions | ForEach-Object { Remove-AzureADServiceAppRoleAssignment -ObjectId $_.PrincipalId -AppRoleAssignmentId $_.objectId } |
I was using that to remove a single permission by doing:
1 |
Remove-AzureADOAuth2PermissionGrant -ObjectId "TESVmAZayU2GhokhvsJouXLu4WpFpL1OpQhtSauaXmxb8eDoMoq5T6MXenxZ2o1" |
This kept throwing the following misleading error:
1 2 3 |
Remove-AzureADOAuth2PermissionGrant : Error occurred while executing RemoveOAuth2PermissionGrant Code: Request_UnsupportedQuery Message: Filter is invalid. objectId |
Turns out the issue is not that the filter is invalid. There was a typo in the ObjectId, so if anything it wasn’t finding anything. Fixed the typo and the cmdlet works again!