Skip to main content

Update API Permissions

As an owner of a Microsoft Entra application, you can add or remove delegated and application permissions directly in Resource Admin. EmpowerID handles the API updates in Entra ID on your behalf.

In this article, you’ll learn how to:

  • Remove outdated API permissions
  • Add new delegated or application permissions
  • Review and submit changes

What You’ll Need

RequirementDescription
Access to Resource AdminYou must be signed in to the EmpowerID Resource Admin portal.
Application OwnershipYou must be the owner or a delegated administrator of the application.

Steps to Update API Permissions

1. Open the Application Overview Page

  1. Log in to Resource Admin.
  2. In the Resource Type menu, select Applications.
  3. Search for and select the Microsoft Entra application you want to update.
  4. Click the Details button for the application.
    Application Details
    This opens the application Overview page.
    Application Overview

2. Remove Existing API Permissions from the Grid (Optional)

You can quickly remove individual permissions directly from the API Permissions grid.

  1. In the left application menu, click API Permissions.
  2. Locate the permission you want to remove.
  3. Click the Delete button.
    Delete API Permission
  4. Click Delete to confirm.
    Delete API Permission Confirmation
note

This method is useful for removing individual permissions without launching the full update workflow.

3. Launch the Update API Permissions Workflow

  1. On the API Permissions tab, click the Add API Permission button at the top of the grid.
    Update API Permissions Button
    This opens the Update Azure App API Permissions workflow with the application pre-selected.
    Remove Configured Permissions

4. Remove Permissions via the Workflow

If the application has existing permissions, the workflow displays them for removal.

  1. For each permission you want to remove, toggle the button from Selected to Remove.
    Remove Configured Permissions
  2. Click Next to proceed.
note

If the application has no existing permissions, this step is skipped automatically.

5. Add Delegated API Permissions (Optional)

Delegated permissions allow access on behalf of signed-in users.

  1. In the Application APIs pane, search or browse for the API (e.g., Microsoft Graph).
  2. Select the API to load its delegated permissions.
    Add Delegated Permissions
  3. Select the permissions you want to add.
  4. Click Next to continue.
note

You may click Next without selecting any permissions to skip this step.

6. Add Application API Permissions (Optional)

Application permissions allow non-interactive background access.

  1. In the Application APIs pane, search or browse for the API (e.g., Microsoft Graph).
  2. Select the API to load its application permissions.
    Add Application API Permissions
  3. Select the permissions you want to add.
  4. Click Next to continue.
note

This step is optional. Click Next if no application permissions are needed.

7. Provide Justifications (If Required)

Depending on your organization's configuration, you may be prompted to provide a justification.

  1. Fill out any required fields.
    API Permissions Justification
  2. Click Next to continue.

8. Review and Submit

  1. On the Summary screen, review all selected changes.
  2. Click Submit to finalize the updates in Microsoft Entra ID.

What Happens Next

  • EmpowerID applies all selected changes to Microsoft Entra ID.
  • Permissions are added or removed as defined.
  • All actions are logged in the EmpowerID audit trail for auditing and compliance.