Created
February 16, 2022 14:08
-
-
Save astaykov/e8f697d9139b115eeb235d85f3b8d903 to your computer and use it in GitHub Desktop.
Check application permissions assigned on a managed identity
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # First, get the service principal object of the managed identity | |
| # you can directly use the object, as it will be displayed on the managed identity properties | |
| $miSP = Get-AzureADServicePrincipal -ObjectId 836955bf-0fe8-4b25-b1af-d1119558eec7 | |
| # EXAMPLE: Ge thte Microsoft Graph service principal | |
| # Note: the special GUID 00000003-0000-0000-c000-000000000000 is the application ID of Microsoft Graph | |
| $graphSP = Get-AzureADServicePrincipal -Filter "appId eq '00000003-0000-0000-c000-000000000000'" | |
| # the following command will get all app role assignments that our managed identity has been consented | |
| # Note, that since we are talking about managed identity, only application permissions are applicable | |
| $assignedAppRoles = Get-AzureADServiceAppRoleAssignedTo -ObjectId $miSP.ObjectId | |
| # now let's loop through all the role assignments and print out the MS Graph ones | |
| foreach($roleAssignment in $assignedAppRoles) | |
| { | |
| if($roleAssignment.ResourceId -eq $graphSP.ObjectId) | |
| { | |
| $role = $graphSP.AppRoles | ?{ $_.Id -eq $roleAssignment.Id } | |
| [string]::Format("{0} ({1})",$role.Value,$role.DisplayName) | |
| } | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment