Anthropic-Cybersecurity-Skills/skills/performing-oauth-scope-minimization-review/references/api-reference.md

API Reference: OAuth Scope Minimization Review

Microsoft Graph API

Endpoint	Method	Description
/v1.0/servicePrincipals	GET	List enterprise applications
/v1.0/oauth2PermissionGrants	GET	List delegated permission grants
/v1.0/oauth2PermissionGrants/{id}	PATCH	Update (reduce) grant scopes
/v1.0/oauth2PermissionGrants/{id}	DELETE	Revoke entire grant
/v1.0/servicePrincipals/{id}/appRoleAssignments	GET	Application permission assignments
/v1.0/auditLogs/signIns	GET	Sign-in activity for usage analysis

Authentication

POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
grant_type=client_credentials
client_id=<app_id>
client_secret=<secret>
scope=https://graph.microsoft.com/.default

Required Permissions

Permission	Type	Purpose
Application.Read.All	Application	Read service principals
OAuth2PermissionGrant.ReadWrite.All	Application	Read/modify grants
AuditLog.Read.All	Application	Read sign-in usage data

Scope Risk Classification

Risk Level	Review Frequency	Examples
Critical	Monthly	Directory.ReadWrite.All, Mail.ReadWrite
High	Quarterly	Mail.Read, Files.Read.All, User.Read.All
Medium	Semi-annually	Calendars.Read, Files.ReadWrite
Low	Annually	User.Read, openid, profile, email

Python Libraries

Library	Version	Purpose
requests	>=2.28	Microsoft Graph API HTTP requests

References

• Microsoft Graph permissions: https://learn.microsoft.com/en-us/graph/permissions-reference
• OAuth2PermissionGrant resource: https://learn.microsoft.com/en-us/graph/api/resources/oauth2permissiongrant
• Entra admin consent: https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/configure-admin-consent-workflow