random-examples/Get-AzureADAppPermissions.ps1 at master · Fortigi/random-examples · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
[CmdletBinding()]
param()

#Connect
Connect-AzureAD

#Create array we will use to gather data into.
[array]$Report = $null

#Get all service principals
Write-Verbose -Message "Retrieving all Azure AD Service Principals"
$SPs = Get-AzureADServicePrincipal -All $true

#Get Application Permissions (access without a user)
Foreach ($SP in $SPs) {
    Write-Verbose -Message "Processing Application Permissions (access without a user) for $($SP.DisplayName)"
    [array]$AppRoles = Get-AzureADServiceAppRoleAssignedTo -ObjectId $SP.ObjectID

    Foreach ($AppRole in $AppRoles) {

        #if the application has a secret or a certificate.. which means it can actually use the permissions without a user being present
        $Resource = Get-AzureADObjectByObjectId -ObjectIds $AppRole.ResourceId
        $Permission = $Resource.AppRoles | Where-Object { $_.id -eq $AppRole.Id }
        $Application = Get-AzureADApplication -All $True | Where-Object { $_.AppId -eq $SP.AppId }

        If ($Application) {

            $Row = New-Object PSObject
            $Row | Add-Member NoteProperty App                          $Application.DisplayName
            $Row | Add-Member NoteProperty Resource                     $AppRole.ResourceDisplayName
            $Row | Add-Member NoteProperty Permission                   $Permission.Value
            $Row | Add-Member NoteProperty SecretEndDate                $Application.PasswordCredentials.EndDate
            $Row | Add-Member NoteProperty CertEndDate                  $Application.KeyCredentials.EndDate
            $Row | Add-Member NoteProperty CreatedDate                  $AppRole.CreationTimestamp
            $Report += $Row
        }
    }
}

#Get Application Roles & Groups (access without a user)
Foreach ($SP in $SPs) {
    Write-Verbose -Message "Processing Application Roles & Groups (access without a user) for $($SP.DisplayName)"

    #if the application has a secret or a certificate.. which means it can actually use the permissions without a user being present
    $Application = Get-AzureADApplication -All $True | Where-Object { $_.AppId -eq $SP.AppId }

    If ($Application) {

        $AppMemberships = Get-AzureADServicePrincipalMembership -ObjectId $SP.ObjectID

        Foreach ($AppMembership in $AppMemberships) {

            $Row = New-Object PSObject
            $Row | Add-Member NoteProperty App                          $Application.DisplayName
            $Row | Add-Member NoteProperty Resource                     $AppMembership.ObjectType
            $Row | Add-Member NoteProperty Permission                   $AppMembership.DisplayName
            $Row | Add-Member NoteProperty SecretEndDate                $Application.PasswordCredentials.EndDate
            $Row | Add-Member NoteProperty CertEndDate                  $Application.KeyCredentials.EndDate
            $Row | Add-Member NoteProperty CreatedDate                  $AppRole.CreationTimestamp
            $Report += $Row
        }
    }
}

$Report