I have defined a multi-tenancy api in Microsoft Entra. A client can then give permissions via the oauth redirect to my organisation. Is there any way once I have completed my task on their tenancy, that I can revoke the permissions the client has granted me or do I have to get the client to do that for me. it just feels simpler and less admin hassle for the client.
I have no issue getting the permission using
POST https://login.microsoftonline.com/{tenant_domain}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials
client_id=MY_CLIENT_ID
client_secret=MY_CLIENT_SECRET
scope=https://outlook.office.com/IMAP.AccessAsUser.All
with the access_token being returned via a callback defined on Entra, but i've no idea if it's possible to self revoke as it were - would be really handy! I know there's no way to revoke the access token. Being as its revoking permissions, it wouldn't seem an unreasonable thing security wise.
There is no way to self-revoke permissions that have been granted to your application by a client in Microsoft Entra. The client must revoke the permissions themselves. This is a security measure to prevent applications from accidentally or maliciously revoking their own access to a client's data.
To make it easier for the client to revoke permissions, you can provide them with a link to the App registrations page in the Microsoft Entra admin center, where they can view and manage all of the applications that have granted admin consent to their tenant.
To do this, you can use the following steps:
Applications > App registrations > All applications.
The client can then use this link to view and manage the permissions that have been granted to your application. To revoke permissions, they can simply uncheck the boxes for the permissions that they want to revoke and then click the Save button.
You may also want to consider using a consent management platform (CMP) to make it easier for clients to manage the permissions that they have granted to applications. A CMP is a third-party service that provides a centralized view of all of the applications that have granted consent to a client's tenant. Clients can then use the CMP to easily revoke permissions for individual applications or groups of applications.