Last active
November 28, 2022 14:14
-
-
Save svarukala/f23e6ee03e7516b1520469e9730a4515 to your computer and use it in GitHub Desktop.
This script uses Microsoft Graph PowerShell SDK. It is helpful to identify and inventorize all the Azure AD Applications registered in your tenant. The script enumerates the KeyCredentials (Certificates) and PasswordCredentials (Client Secret) keys, expiration dates, owner and other useful information.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All","Application.Read.All", "Application.ReadWrite.All", "Directory.Read.All", "Directory.ReadWrite.All", "Directory.AccessAsUser.All" | |
| $Apps = Get-MgApplication -All | |
| $today = Get-Date | |
| $credentials = @() | |
| $Apps | %{ | |
| $aadAppObjId = $_.Id | |
| $app = Get-MgApplication -ApplicationId $aadAppObjId | |
| $owner = Get-MgApplicationOwner -ApplicationId $aadAppObjId | |
| $app.KeyCredentials | %{ | |
| #write-host $_.KeyId $_.DisplayName | |
| $credentials += [PSCustomObject] @{ | |
| CredentialType = "KeyCredentials"; | |
| DisplayName = $app.DisplayName; | |
| AppId = $app.AppId; | |
| ExpiryDate = $_.EndDateTime; | |
| StartDate = $_.StartDateTime; | |
| #KeyID = $_.KeyId; | |
| Type = $_.Type; | |
| Usage = $_.Usage; | |
| Owners = $owner.AdditionalProperties.userPrincipalName; | |
| Expired = if(([DateTime]$_.EndDateTime) -lt $today) {"yes"} else{ "No"}; | |
| } | |
| } | |
| $app.PasswordCredentials | %{ | |
| #write-host $_.KeyId $_.DisplayName | |
| $credentials += [PSCustomObject] @{ | |
| CredentialType = "PasswordCredentials"; | |
| DisplayName = $app.DisplayName; | |
| AppId = $app.AppId; | |
| ExpiryDate = $_.EndDateTime; | |
| StartDate = $_.StartDateTime; | |
| #KeyID = $_.KeyId; | |
| Type = 'NA'; | |
| Usage = 'NA'; | |
| Owners = $owner.AdditionalProperties.userPrincipalName; | |
| Expired = if(([DateTime]$_.EndDateTime) -lt $today) {"yes"} else{ "No"}; | |
| } | |
| } | |
| } | |
| $credentials | FT -AutoSize | |
| # Optionally export to a CSV file | |
| #$credentials | Export-Csv -Path "AppsInventory.csv" -NoTypeInformation |
getmgapplication.ps1:40 char:63
- ... Expired = (([DateTime]$_.EndDateTime) -lt $today) ? "Yes" : ...
-
~
Unexpected token '?' in expression or statement.
getmgapplication.ps1:40 char:62
-
Expired = (([DateTime]$_.EndDateTime) -lt $today) ? "Yes" ... -
~
The hash literal was incomplete.
I have changed that line to :
Expired = if(([DateTime]$_.EndDateTime) -lt $today) {"yes"} else{ "No"};
works as a charm now for me in PS 5.1
Is there a way to do this for Enterprise Applications?
Is it possible to do this with C# or python.. like need to implement this in web application level
@ashmsport yes, see this: https://dev.to/svarukala/manage-azure-ad-enterprise-applications-permissions-using-microsoft-graph-powershell-222m
@amlijupnandanan yes, you must use MS Graph rest endpoint. The above script essentially doing the same except it's using PS.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
works only in powershell 7, right?