Skip to main content

How can specific Graph API permissions be removed from the Teamflect app in Entra ID?

Manage calendar permissions with ease using Microsoft Entra ID and Powershell for a seamless user experience.

Livia avatar
Written by Livia
Updated over 2 months ago

Introduction

This guide provides step-by-step instructions for Microsoft Administrators on how to manage and remove specific calendar permissions from an application through the Microsoft Entra Identity and Access Management platform. Following these steps will ensure that the permission dialog does not prompt end-users for missing permissions.

Prerequisites

  • You must have administrative access to Microsoft Entra ID.

  • Ensure you have Powershell installed and are able to run it as an administrator.

Steps

1. Locate the Application

Navigate to the Entra ID portal and select Applications > Enterprise Applications. Search for Teamflect to proceed.

2. Manage Permissions

Click on Permissions for the selected application,

Then click the Grant Admin Consent button. This action grants the application the necessary permissions and prevents end-users from being prompted to grant permissions.

3. Prepare to Use Powershell

Open Powershell with administrative rights. Before running the script, you will need to modify the specific part of the script where the Service Principal ID is defined. Replace the placeholder GUID with the actual Service Principal ID, which can be found on the Overview page of your application in Entra ID.

4. Run the Powershell Script

Execute the following Powershell (Run as admin) commands to adjust the application's permissions. You need to change the part marked in bold ("07e33804-5840-4473-860e-fedd2a4aa1be") below:

#Connect to Microsoft Graph with the necessary scopes

Connect-MgGraph -Scopes "DelegatedPermissionGrant.ReadWrite.All", "Directory.Read.All"

# Define the Service Principal ID of your application

$servicePrincipalId = "07e33804-5840-4473-860e-fedd2a4aa1be"

# Retrieve all OAuth2 Permission Grants associated with your application's Service Principal

$permissionGrants = Get-MgOauth2PermissionGrant -Filter "clientId eq '$servicePrincipalId'" -All

# Loop through each permission grant

foreach ($grant in $permissionGrants) {

# Split the scopes into an array

$scopes = $grant.Scope -split ' '

# Check if the grant includes Calendars.Read or Calendars.Read.Shared

if ($scopes -contains "Calendars.Read" -or $scopes -contains "Calendars.Read.Shared") {

# If only these scopes are present, remove the entire grant

if ($scopes.Count -eq 1) {

Remove-MgOauth2PermissionGrant -OAuth2PermissionGrantId $grant.Id

Write-Output "Removed OAuth2PermissionGrant with Id: $($grant.Id)"

} else {

# Otherwise, remove only the specific scopes and update the grant

$newScopes = $scopes | Where-Object { $_ -ne "Calendars.Read" -and $_ -ne "Calendars.Read.Shared" }

$newScopeString = $newScopes -join ' '

Update-MgOauth2PermissionGrant -OAuth2PermissionGrantId $grant.Id -Scope $newScopeString

Write-Output "Updated OAuth2PermissionGrant with Id: $($grant.Id) to scopes: $newScopeString"

}

}

}

# End

The GUID marked in bold (07e33804-5840-4473-860e-fedd2a4aa1be) above can be found by going to the Overview page of the Teamflect app in Entra ID.

5. Verify Changes

After completing the steps, navigate back to the Permissions page of the application. The permissions for Calendar.Read or Calendar.Read.Shared should no longer be listed.

6. Disable the Meetings Functionality

Finally, it's essential to disable the meetings functionality in Teamflect’s Admin Center. This will prevent users from seeing a warning message about the meetings tab on their homepage, as it will no longer be functional.

By following these detailed instructions, Microsoft Administrators can effectively manage and remove specific calendar permissions, ensuring a streamlined and compliant user experience within their applications.

Need help?

If you have any difficulties along the way, please contact us at [email protected], or reach out to your Customer Success Manager (only in Essential and Professional plans) whose contact info can be found at https://admin.teamflect.com/#/home.

Did this answer your question?