Extend spo sp grant revoke with scope

[waldekmastykarz]

Extends spo sp grant revoke with scope so that it's possible not only to remove the whole grant but also a specific scope.

Originally posted by @waldekmastykarz in #5055 (comment)

[waldekmastykarz]

The underlying CSOM API SPOWebAppServicePrincipalPermissionGrant.DeleteObject() only supports removing the whole grant, rather than a specific scope. To remove just a specific scope, we'd have to look into the ability of updating scopes

[waldekmastykarz]

The Scope property of a grant seems to be only a getter. With that, it seems that we won't be able to use CSOM to update scopes. We'd have to look some more into other options that we could potentially use for this.

[waldekmastykarz]

OK, the following code seems to be working:

var ctx = new ClientContext("https://contoso-admin.sharepoint.com");
ctx.ExecutingWebRequest += (sender, e) => {
    e.WebRequestExecutor.RequestHeaders["Authorization"] = "Bearer " + accessToken;
};
var grantId = "abc";
var scopeToRevoke = "Mail.Read";

var sp = new SPOWebAppServicePrincipal(ctx);
var grantMgr = sp.GrantManager;
var grant = sp.PermissionGrants.GetByObjectId(grantId);
ctx.Load(grant);
ctx.ExecuteQuery();
grantMgr.Remove(grant.ClientId, grant.Resource, scopeToRevoke);
ctx.ExecuteQuery();