Get all Azure AD Applications, Permissions and Users using Powershell

In this post, I am going to share Powershell script to find and retrieve the list of Azure AD Integrated apps (Enterprise Applications) with their API permissions. Also, list users who are authorized to use the app.

In Azure AD, the integrated apps or Enterprise applications are nothing but an instance (ServicePrincipal object) or mirror of the apps (Application object) which are generally published in other company tenants (or in your own tenant). We can use the Get-AzureADServicePrincipal cmdlet to fetch all the integrated apps.

Before proceed install Azure AD Powershell Module V2 and run the below command to connect the Powershell module:

Connect-AzureAD

By default the Get-AzureADServicePrincipal cmdlet returns all the service principal objects, we can filter the result by using the Tags property to list only integrated applications.

Get-AzureADServicePrincipal -All:$true | ? {$_.Tags -eq "WindowsAzureActiveDirectoryIntegratedApp"}

The below command returns limited fields alone.

Get-AzureADServicePrincipal -All:$true |?{$_.Tags -eq "WindowsAzureActiveDirectoryIntegratedApp"}|
Select-Object ObjectId,AppDisplayName,AppId,PublisherName
  • ObjectId – This is the unique id for the service principal object (ServicePrincipalId). We need to use this id to get resources related to the service principal object.
  • AppDisplayName – Name of the Application.
  • AppId – The id of the Application. The AppId is unique across all related Azure AD objects (Application object and ServicePrincipal object). If you are the owner or the app registered in your tenant, then you can use the Get-AzureADApplication cmdlet to get the registered apps (Application objects).This id will be used as ClientId while acquiring access token to access resources.

Get all Delegated Permissions granted to an application

We can use the Get-AzureADServicePrincipalOAuth2PermissionGrant cmdlet to fetch OAuth delegated permissions which have been granted to the application either by end-user (User Consent) or Admin user (Admin Consent).

#$ServicePrincipalId = (Get-AzureADServicePrincipal -Top 1).ObjectId
#Provide ObjectId of your service principal object
$ServicePrincipalId = "5614c8c4-22bb-45c7-9be3-47491152703d"
Get-AzureADServicePrincipalOAuth2PermissionGrant -ObjectId $ServicePrincipalId | FL

This command gets an oAuth2PermissionGrant object and it includes the following fields.

  • ClientId – The id of the service principal object.
  • ConsentType – Indicates if consent was provided by the administrator (on behalf of the organization) or by an individual. The possible values are AllPrincipals or Principal.
  • ObjectId – Unique id for this object.
  • PrincipalId – If ConsentType is AllPrincipals this value is null, and the consent applies to all users in the organization. If ConsentType is Principal, then this property specifies the id of the user that granted consent and applies only for that user. You can use this id with Get-AzureADUser cmdlet to get the user data.
  • ResourceId – Specifies the id of the resource service principal to which access has been granted.
  • Scope – Specifies the value of the scope claim that the resource application should expect in the OAuth 2.0 access token. For example, User.Read.

Get all Application Permissions granted to an application

The Get-AzureADServicePrincipalOAuth2PermissionGrant cmdlet retrieves all delegated permissions for a service principal object, but you can’t use this command to retrieve the application permissions. Application permission assignments are represented as AppRoleAssignments in the directory, you can use the Get-AzureADServiceAppRoleAssignedTo cmdlet to list what application permissions (AppRoleAssignment) have been assigned to the service principal object.

$AppPermissions =@()
$ResourceAppHash = @{}
#Provide ObjectId of your service principal object
$ServicePrincipalId = "5614c8c4-22bb-45c7-9be3-47491152703d"
$AppRoleAssignments = Get-AzureADServiceAppRoleAssignedTo -ObjectId $ServicePrincipalId
$AppRoleAssignments | ForEach-Object {
$RoleAssignment = $_
$AppRoles = {}
If ($ResourceAppHash.ContainsKey($RoleAssignment.ResourceId)) {
$AppRoles = $ResourceAppHash[$RoleAssignment.ResourceId]
} Else {
$AppRoles = (Get-AzureADServicePrincipal -ObjectId $RoleAssignment.ResourceId).AppRoles
#Store AppRoles to re-use.
#Probably all role assignments use the same resource (Ex: Microsoft Graph).
$ResourceAppHash[$RoleAssignment.ResourceId] = $AppRoles
}
$AppliedRole = $AppRoles | Where-Object {$_.Id -eq $RoleAssignment.Id}  
$AppPermissions += New-Object PSObject -property @{
DisplayName = $AppliedRole.DisplayName
Roles = $AppliedRole.Value
Description = $AppliedRole.Description
IsEnabled = $AppliedRole.IsEnabled
ResourceName = $RoleAssignment.ResourceDisplayName
}
}
$AppPermissions | FL

Get users who are associated with the application

You can get the list of users who are involved with the application by using the Get-AzureADServiceAppRoleAssignment cmdlet.

#Provide ObjectId of your service principal object
$ServicePrincipalId = "5614c8c4-22bb-45c7-9be3-47491152703d"
Get-AzureADServiceAppRoleAssignment -ObjectId $ServicePrincipalId | Select ResourceDisplayName,PrincipalDisplayName

Advertisement

Leave a Comment