Sample script: quickly remove SharePoint API permissions

When building SharePoint Framework solutions connected to APIs secured with Azure Active Directory, you might need to clear the list of granted API permissions. Here’s a sample script to quickly clean them up.

#!/usr/bin/env zx
$.verbose = false;

console.log('Retrieving granted API permissions...');
const apiPermissions = JSON.parse(await $`m365 spo sp grant list -o json`);

for (let i = 0; i < apiPermissions.length; i++) {
  const permission = apiPermissions[i];
  console.log(`Removing permission ${permission.Resource}/${permission.Scope} (${permission.ObjectId})...`);
  try {
    await $`m365 spo serviceprincipal grant revoke --grantId ${permission.ObjectId}`
    console.log(chalk.green('DONE'));
  }
  catch (err) {
    console.error(err.stderr);
  }
}

This script uses CLI for Microsoft 365 and Google zx. To run the script, save it to a file with the .mjs extension. Next, run the script either by calling zx remove-apipermissions.mjs or ./remove-apipermissions.mjs after making the script executable using chmod +x ./remove-apipermissions.mjs;

Using CLI for Microsoft 365, the script first retrieves the list of granted API permissions. Then, it iterates through them and removes (revokes) each one of them using CLI for Microsoft 365. After running this script, your list of SharePoint API permissions will be empty. Another script to keep around in your toolbox!

Screenshot of an empty list of SharePoint API permissions

Others found also helpful: