Skip to main content

aad oauth2grant list

Lists OAuth2 permission grants for the specified service principal


m365 aad oauth2grant list [options]


-i, --spObjectId <spObjectId>

objectId of the service principal for which the configured OAuth2 permission grants should be retrieved

-h, --help [help]

Output usage information. Optionally, specify which section of command's help you want to see. Allowed values are options, examples, remarks, response, full. Default is options.

--query [query]

JMESPath query string. See for more information and examples.

-o, --output [output]

Output type. json, text, csv, md, none. Default json.


Runs command with verbose logging.


Runs command with debug logging.


In order to list existing OAuth2 permissions granted to a service principal, you need its objectId. You can retrieve it using the aad sp get command.

When using the text output type (default), the command lists only the values of the objectId, resourceId and scope properties of the OAuth grant. When setting the output type to JSON, all available properties are included in the command output.


List OAuth2 permissions granted to service principal with objectId b2307a39-e878-458b-bc90-03bc578531d6.

m365 aad oauth2grant list --spObjectId b2307a39-e878-458b-bc90-03bc578531d6


"clientId": "283f45c9-6b6f-4d15-a7b8-da2c2f3f6e67",
"consentType": "AllPrincipals",
"id": "yUU_KG9rFU2nuNosLz9uZ0SVQmWC1_RCvP7NnEv1Zus",
"principalId": null,
"resourceId": "65429544-d782-42f4-bcfe-cd9c4bf566eb",
"scope": "Mail.Read Mail.Send"

More information