Edit

Share via

Revoke-EntraBetaMCPServerPermission

Module:
Microsoft.Entra.Beta.Applications Module v1.1

Revokes Microsoft MCP Server for Enterprise permissions from specified clients.

Syntax

PredefinedClient (Default) 

Revoke-EntraBetaMCPServerPermission

    -ApplicationName <String>
    [-Scopes <String[]>]
    [<CommonParameters>]

CustomClient 

Revoke-EntraBetaMCPServerPermission

    -ApplicationId <Guid>
    [-Scopes <String[]>]
    [<CommonParameters>]

Description

The Revoke-EntraBetaMCPServerPermission cmdlet revokes Microsoft MCP Server for Enterprise permissions from a specified client in Microsoft Entra ID. This cmdlet revokes permissions from a predefined MCP client (Visual Studio Code, Visual Studio, ChatGPT, Claude) or from a custom client using its service principal ID.

The cmdlet supports both full permission revocation (removing all granted scopes) and partial revocation (removing specific scopes while keeping others intact). When permissions are partially revoked, the cmdlet returns an OAuth2PermissionGrant object representing the updated permission grant. When all permissions are revoked, the grant is deleted and the cmdlet returns null.

For delegated scenarios, the calling user needs at least one of the following Microsoft Entra roles:

  • Application Administrator
  • Cloud Application Administrator
  • Privileged Role Administrator

Examples

Example 1: Revoke all permissions from Visual Studio Code

Connect-Entra -Scopes 'Application.ReadWrite.All', 'Directory.Read.All', 'DelegatedPermissionGrant.ReadWrite.All'
Revoke-EntraBetaMCPServerPermission -ApplicationName 'VisualStudioCode'

This example revokes all Microsoft MCP Server for Enterprise permissions from Visual Studio Code client.

Example 2: Revoke specific scopes from a predefined client

Connect-Entra -Scopes 'Application.ReadWrite.All', 'Directory.Read.All', 'DelegatedPermissionGrant.ReadWrite.All'
$result = Revoke-EntraBetaMCPServerPermission -ApplicationName 'VisualStudioCode' -Scopes 'MCP.User.Read.All', 'MCP.Application.Read.All'

This example revokes specific scopes from Visual Studio Code client and returns the updated OAuth2PermissionGrant object with remaining permissions.

Example 3: Revoke permissions from custom MCP client

Connect-Entra -Scopes 'Application.ReadWrite.All', 'Directory.Read.All', 'DelegatedPermissionGrant.ReadWrite.All'
Revoke-EntraBetaMCPServerPermission -ApplicationId 'aaaaaaaa-bbbb-cccc-1111-222222222222'

This example revokes all permissions from a custom MCP client using its application ID (GUID format).

Example 4: Revoke specific scopes from custom client

Connect-Entra -Scopes 'Application.ReadWrite.All', 'Directory.Read.All', 'DelegatedPermissionGrant.ReadWrite.All'
$grant = Revoke-EntraBetaMCPServerPermission -ApplicationId 'aaaaaaaa-bbbb-cccc-1111-222222222222' -Scopes 'MCP.User.Read.All'

This example revokes the 'MCP.User.Read.All' scope from a custom MCP client and stores the updated grant object.

Example 5: Understanding return values

Connect-Entra -Scopes 'Application.ReadWrite.All', 'Directory.Read.All', 'DelegatedPermissionGrant.ReadWrite.All'

# Partial revocation - returns updated OAuth2PermissionGrant object
$partialResult = Revoke-EntraBetaMCPServerPermission -ApplicationName 'VisualStudioCode' -Scopes 'MCP.User.Read.All'
if ($partialResult) {
    Write-Host "Remaining scopes: $($partialResult.Scope)"
}

# Complete revocation - returns null
$completeResult = Revoke-EntraBetaMCPServerPermission -ApplicationName 'VisualStudioCode'
if ($null -eq $completeResult) {
    Write-Host "All permissions have been revoked"
}

This example demonstrates the different return values: an OAuth2PermissionGrant object for partial revocation and null for complete revocation.

Parameters

-ApplicationId

Specifies the application ID (GUID) of a custom MCP client from which to revoke permissions. Must be a valid GUID.

Parameter properties

Type:System.Guid
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

CustomClient
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ApplicationName

Specifies a predefined MCP client from which to revoke permissions. Valid values are:

  • VisualStudioCode: Visual Studio Code
  • VisualStudio: Visual Studio
  • ChatGPT: ChatGPT
  • Claude: Claude

Parameter properties

Type:System.String
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

PredefinedClient
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-Scopes

Specifies the specific scope(s) to revoke. If not provided, all permissions will be revoked from the specified client.

Parameter properties

Type:

System.String[]

Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Inputs

None

Outputs

Microsoft.Graph.Beta.PowerShell.Models.MicrosoftGraphOAuth2PermissionGrant

When permissions are partially revoked (some scopes remain), the cmdlet returns an OAuth2PermissionGrant object representing the updated permission grant with the remaining scopes.

System.Null

When all permissions are revoked, the permission grant is deleted and the cmdlet returns null.

Notes

  • The cmdlet requires connection to Microsoft Entra with appropriate scopes: 'Application.ReadWrite.All', 'Directory.Read.All', 'DelegatedPermissionGrant.ReadWrite.All'
  • The cmdlet supports both complete permission revocation and selective scope removal.
  • Return Values: The cmdlet returns an OAuth2PermissionGrant object when permissions are partially revoked (some scopes remain), and returns null when all permissions are revoked (grant is deleted).
  • The cmdlet processes one client at a time; use multiple invocations to process multiple clients.