You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I had previously connected to the graph with extra scopes.
I disconnected from the graph the reconnected with just "User.Read" permissions but (Get-MgContext).Scopes returns my previous scopes and I could still get data with Get-MgGroup, is this expected behaviour?
@MatthewJDavis This is by design. When we make a call to /token to get an access token, AAD will still add all the previously consented permissions into the token.
@peombwa: This is a footgun. I've always thought -Scope sets what scopes/permissions I want for current session. If I don't plan on doing writes I chose read only scopes.
I see now that documentation says "An array of delegated permissions to consent to.".
Still. It's dangerous when users of the Microsoft.Graph module easily can think they can be totally safe from goofups when connected with -Scopes 'Directory.Read.All', but behind the scenes, without knowing it, they have all previously consented scopes too.
Hello,
I had previously connected to the graph with extra scopes.
I disconnected from the graph the reconnected with just "User.Read" permissions but (Get-MgContext).Scopes returns my previous scopes and I could still get data with
Get-MgGroup
, is this expected behaviour?Disconnect-MgGraph
Connect-MgGraph -Scopes "User.Read" -ForceRefresh
(Get-MgContext).Scopes
Example:
Please let me know if you need any more information.
Thanks!
PS / Graph info:
Microsoft.Graph version: 1.4.2
PSVersion 7.1.3
PSEdition Core
GitCommitId 7.1.3
OS Microsoft Windows 10.0.19042
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
AB#8636
The text was updated successfully, but these errors were encountered: