Created
November 9, 2021 03:06
-
-
Save svarukala/503dba34a8f5e805d770be682a66ad33 to your computer and use it in GitHub Desktop.
Get the delegated and application permissions for a given Azure AD App. The output clearly shows the roles and scopes (e.g. All.Sites.Manage, Mail.Read etc.) along with display names and resource (e.g. EXO, SPO etc.) information.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All","Application.Read.All", "Application.ReadWrite.All", "Directory.Read.All", "Directory.ReadWrite.All", "Directory.AccessAsUser.All" | |
| #Get-Command -Module Microsoft.Graph* *serviceprincipal* | |
| #Get-MgUser | |
| #Use below if you have exact name to get the service principal of the AAD application | |
| $azureAdAppName = "MGT-App" | |
| $sp = Get-MgServicePrincipal -Filter "DisplayName eq '$azureAdAppName'" | |
| #Use below if you have partial name to get the service principal of the AAD application | |
| #$sp = Get-MgServicePrincipal -Search "DisplayName:MGT" -ConsistencyLevel "eventual" | |
| #Use beloow if you have the Azure AD app ID to get the service principal of the AAD application | |
| #$sp = Get-MgServicePrincipal -Filter "AppId eq '<Azure AD App ID>'" | |
| $permissions = @() | |
| #Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $sp.Id | select ResourceId, ConsentType, PrincipalId, Scope | |
| $oAuth2PermGrants = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $sp.Id | |
| $oAuth2PermGrants | %{ | |
| $resourceSP = Get-MgServicePrincipal -ServicePrincipalId $_.ResourceId | |
| $userPrincipal = $_.ConsentType -eq "Principal" ? (Get-MgUser -UserId $_.PrincipalId) : $null | |
| $permissions += [PSCustomObject] @{ | |
| "PermissionType" = "Delegated" | |
| "AADAppName" = $sp.DisplayName | |
| #"AADAppId" = $sp.AppId | |
| "Resource" = $resourceSP.DisplayName | |
| #"ResourceId" = $resourceSP.Id | |
| "Scope" = $_.Scope | |
| "ConsentType" = $_.ConsentType | |
| "PrincipalType" = "User" | |
| "UPN" = $userPrincipal -ne $null ? $userPrincipal.UserPrincipalName : "NA" | |
| "PrincipalId" = $userPrincipal -ne $null ? $userPrincipal.Id : "NA" | |
| } | |
| } | |
| $appRoles = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id | |
| $appRoles | %{ | |
| $resourceSP = Get-MgServicePrincipal -ServicePrincipalId $_.ResourceId | |
| $appRoleInfo = $resourceSP.AppRoles | where Id -eq $_.AppRoleId | |
| $permissions += [PSCustomObject] @{ | |
| "PermissionType" = "Application" | |
| "AADAppName" = $sp.DisplayName | |
| #"AADAppId" = $sp.AppId | |
| "Resource" = $resourceSP.DisplayName | |
| #"ResourceId" = $resourceSP.Id | |
| "Scope" = $appRoleInfo.Value | |
| "ConsentType" = "NA" | |
| "PrincipalType" = $_.PrincipalType | |
| "UPN" = "NA" | |
| "PrincipalId" = $_.PrincipalId | |
| } | |
| } | |
| #Show permission details | |
| $permissions | FT -AutoSize | |
| #Export permision details to a csv file | |
| #$permissions | Export-Csv -Path "AppsInventory.csv" -NoTypeInformation |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment