Should previous scopes show in new session started with Connect-MgGraph?

[MatthewJDavis]

Hello,

I had previously connected to the graph with extra scopes.
I disconnected from the graph the reconnected with just "User.Read" permissions but (Get-MgContext).Scopes returns my previous scopes and I could still get data with Get-MgGroup, is this expected behaviour?

Disconnect-MgGraph
Connect-MgGraph -Scopes "User.Read" -ForceRefresh
(Get-MgContext).Scopes

Example:

Please let me know if you need any more information.

Thanks!

PS / Graph info:

Microsoft.Graph version: 1.4.2

PSVersion 7.1.3
PSEdition Core
GitCommitId 7.1.3
OS Microsoft Windows 10.0.19042
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0
AB#8636

[peombwa]

@MatthewJDavis This is by design. When we make a call to /token to get an access token, AAD will still add all the previously consented permissions into the token.

[MatthewJDavis]

Hi @peombwa,

Thanks for the information!

[o-l-a-v]

@peombwa: This is a footgun. I've always thought -Scope sets what scopes/permissions I want for current session. If I don't plan on doing writes I chose read only scopes.

I see now that documentation says "An array of delegated permissions to consent to.".

Still. It's dangerous when users of the Microsoft.Graph module easily can think they can be totally safe from goofups when connected with -Scopes 'Directory.Read.All', but behind the scenes, without knowing it, they have all previously consented scopes too.