get-all-oauth-scopes.ps1

# Get all OAuth scopes

try {
$allAuth2PermissionsGrants = Get-AzureADOAuth2PermissionGrant -All $true

$allServicePrincipals = Get-AzureADServicePrincipal -All $true

$allUsers = Get-AzureADUser -All $true

$servicePrincipalScope  = New-Object System.Collections.ArrayList

# Get Service Principal Name
foreach ($permissions in $allAuth2PermissionsGrants) {
    $sp = $allServicePrincipals | Where-Object { $_.ObjectId -eq $permissions.clientId }
    $resource = $allServicePrincipals | Where-Object { $_.ObjectId -eq $permissions.ResourceId }
    $upn = $null
    if ($permissions.PrincipalId){
        $upn = $($allUsers | Where-Object { $_.ObjectId -eq $permissions.PrincipalId}).UserPrincipalName
    }
    $scopeResult = New-Object -TypeName PSObject -Property @{
        'DisplayName' = $sp.DisplayName
        'ObjectId' = $sp.ObjectId
        'AppId' = $sp.AppId
        'AppOwnerTenantId' = $sp.AppOwnerTenantId
        'PublisherName' = $sp.PublisherName
        'ResourceId' = $permissions.ResourceId
        'ResourceDisplayName' = $resource.DisplayName
        'ConsentType' = $permissions.ConsentType
        'PrincipalId' = $permissions.PrincipalId
        'Upn' = $upn
        'scope' = $permissions.scope
    }
    $servicePrincipalScope.add($scopeResult) | Out-Null
}

# Output csv
$servicePrincipalScope |  Select-Object DisplayName, ObjectId, AppId, AppOwnerTenantId, PublisherName, ConsentType, Upn, PrincipalId, ResourceDisplayName, ResourceId, scope | ConvertTo-Csv | Out-File -Encoding utf8 -PSPath "servicePrincipalScope.csv"
}
catch {
    $ErrorMessage = $_.Exception.Message
    Write-Error "Get Tenant Details failed. Please Check You have permissions or signed in.\n\r $ErrorMessage"
}

oatuh-grant-from-portal.txt

[{"resourceName":"Microsoft Graph","resourceAppId":"409550e3-a27e-4b16-9fad-53062181102c","permissionType":"Delegated","permissionDisplayName":"Sign in and read user profile","permissionDescription":"Allows users to sign-in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.","permissionId":"User.Read","consentType":"Admin","roleOrScopeClaim":"User.Read","principalIds":[null]},{"resourceName":"Microsoft Graph","resourceAppId":"409550e3-a27e-4b16-9fad-53062181102c","permissionType":"Application","permissionDisplayName":"Read directory data","permissionDescription":"Allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.","permissionId":"7ab1d382-f21e-4acd-a863-ba3e13f7da61","consentType":"Admin","roleOrScopeClaim":"Directory.Read.All","principalIds":null},{"resourceName":"Microsoft Graph","resourceAppId":"409550e3-a27e-4b16-9fad-53062181102c","permissionType":"Application","permissionDisplayName":"Read all audit log data","permissionDescription":"Allows the app to read and query your audit log activities, without a signed-in user.","permissionId":"b0afded3-3588-46d8-8b3d-9842eff778da","consentType":"Admin","roleOrScopeClaim":"AuditLog.Read.All","principalIds":null}]