Skip to content

Instantly share code, notes, and snippets.

@junecastillote

junecastillote/Get-AppsWithDelegatedSpoExoScope.ps1

Last active September 13, 2024 05:58
Show Gist options
  • Save junecastillote/66f4adafa47d0444dc4aace23445051b to your computer and use it in GitHub Desktop.
Save junecastillote/66f4adafa47d0444dc4aace23445051b to your computer and use it in GitHub Desktop.
Download ZIP
Get Azure AD Enterprise Apps with EXO and SPO Delegated API Permissions
Raw
README.md

Get-AppsWithDelegatedSpoExoScope.ps1

This script was created for a specific use-case. It retrieves the Azure AD enterprise applications with delegated Exchange Online and SharePoint Online app permissions.

Prerequisites

  • Microsoft Graph PowerShell SDK installed

  • Connected to Microsoft Graph PowerShell with Directory.Read.All and Application.Read.All scopes.

      Connect-MgGraph -TenantId TENANT.onmicrosoft.com -Scopes Directory.Read.All,Application.Read.All

    Connect to Graph

Example 1: Get All Enterprise App Service Principals with EXO and SPO Delegated Permissions

  1. Run the script. This example stores the output to the delegated_scopes variable.

    .\Get-AppsWithDelegatedSpoExoScope.ps1 -OutVariable delegated_scopes

    Run script

  2. Export to CSV. This example exports the result to .\delegated_scopes.csv.

    $delegated_scopes | Export-Csv -NoTypeInformation -Path .\delegated_scopes.csv

    Sample CSV

Example 2: Get a Specific Enterprise App Service Principals with EXO and SPO Delegated Permissions by Service Principal Id

.\Get-AppsWithDelegatedSpoExoScope.ps1 -ServicePrincipalId 055a453a-4cd4-4c6a-8049-6b9b9a502d99

Example 2

Example 3: Get a Specific Enterprise App Service Principals with EXO and SPO Delegated Permissions by Display Name

.\Get-AppsWithDelegatedSpoExoScope.ps1 -DisplayName MailboxQuotaStatus

Example 3

Raw
Get-AppsWithDelegatedSpoExoScope.ps1
[CmdletBinding(DefaultParameterSetName = 'Default')]
param (
[Parameter(ParameterSetName = 'ByServicePrincipalId')]
[ValidateNotNullOrEmpty()]
[string]
$ServicePrincipalId,
[Parameter(ParameterSetName = 'ByDisplayName')]
[ValidateNotNullOrEmpty()]
[string]
$DisplayName,
[Parameter(ParameterSetName = 'Default')]
[switch]
$All
)
# Get the EXO and SPO service principal ID
$exo_resource_id = (Get-MgServicePrincipal -Filter "DisplayName eq 'Office 365 Exchange Online'").Id
$spo_resource_id = (Get-MgServicePrincipal -Filter "DisplayName eq 'Office 365 SharePoint Online'").Id
switch ($PSCmdlet.ParameterSetName) {
ByServicePrincipalId { # Get specific service pricipal object by ID
try {
$all_sp = @(Get-MgServicePrincipal -ServicePrincipalId $ServicePrincipalId -ErrorAction Stop)
}
catch {
Write-Error $_.Exception.Message
return $null
}
}
ByDisplayName { # Get specific service pricipal object by displayname
try {
$all_sp = @(Get-MgServicePrincipal -Filter "DisplayName eq '$($DisplayName)'" -ErrorAction Stop)
}
catch {
Write-Error $_.Exception.Message
return $null
}
}
Default { # Get all service principal objects
$all_sp = @(Get-MgServicePrincipal -All)
}
}
if ($all_sp.Count -lt 1) {
return $null
}
$total = $all_sp.Count
for ($i = 0 ; $i -lt $total ; $i++) {
# Calculate the percentage completed
$percentComplete = [math]::Round(($i / $total) * 100, 2)
# Display the progress bar
Write-Progress -Activity "Processing Service Principals [$($i+1) / $total]" `
-Status "Processing: $($all_sp[$i].DisplayName)" `
-PercentComplete $percentComplete
# Get the delegated permissions
$delegated_permisions = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $all_sp[$i].Id
# Filter permissions for Exchange and SharePoint Online
$exo_permissions = ($delegated_permisions | Where-Object { $_.ResourceId -eq $exo_resource_id } | Select-Object -Unique Scope).Scope -join "," -replace " ", ","
$spo_permissions = ($delegated_permisions | Where-Object { $_.ResourceId -eq $spo_resource_id } | Select-Object -Unique Scope).Scope -join "," -replace " ", ","
# If either Exchange Online or SharePoint Online permissions are found, create the custom object
if ($exo_permissions -or $spo_permissions) {
[PSCustomObject]@{
DisplayName = $all_sp[$i].DisplayName
Id = $all_sp[$i].Id
SignInAudience = $all_sp[$i].SignInAudience
ServicePrincipalType = $all_sp[$i].ServicePrincipalType
ExchangeOnlineDelegatedPermissions = $(if ($exo_permissions) { $exo_permissions } else { 'None' })
SharePointOnlineDelegatedPermissions = $(if ($spo_permissions) { $spo_permissions } else { 'None' })
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment