Hello everyone,

I have a task that I cant quite figure out how to perform. Our security department demands to obtain a regularly sent report of Entra ID enterprise applications, along with their owners, and mainly with permissions the app has been granted.
But, so far it seems to be not that simple. When I use this cmdlet:

Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId XY

I am able to get Delegated permissions the app received, but I cant figure out how to get also Application permissions, as they are the most important thing our security needs to know about.

When I try for example this

I get the APIs that are being used, but I dont see the scope of permissons that the application itself can use (for example MAil.ReadWrite etc)

So, anyone ever tried to come up with a similar thing? BEcause I have been trying out everything I came up with for two days so far and I am quite desperate.

I also dont know if trying this with powershell module is a viable solution - so I was wondering if maybe web requests towards graph API are working better - but again, I cant to get that work, when I do for example this

Define the Application ID

$appId = "0f78653b-2b30-47f2-9d09-3c17709f118a"

Define the Graph API endpoint

$endpoint = "https://graph.microsoft.com/v1.0/applications/$appId"

Send the GET request to the Graph API

$response = Invoke-MgGraphRequest -Method GET -Uri $endpoint

it will just return

Invoke-MgGraphRequest : GET https://graph.microsoft.com/v1.0/applications/0f78653b-2b30-47f2-9d09-3c17709f118a

HTTP/1.1 404 Not Found

{"error":{"code":"Request_ResourceNotFound","message":"Resource '0f78653b-2b30-47f2-9d09-3c17709f118a' does not exist or one of its queried reference-property objects are not present.","innerError":{"date":"2024-07-26T14:02:20","request-id":"8819e537-6e29-427e-ae55-26cba2855cd6","client

meaning the app is not found at all...

So, any help or hint is appreciated - thank you very much:)

BR,

Tomas

 

sorry for the formatting. I was really struggling with posting this in the first place, I was getting error message about not being authorized to post this, so I experimented with shortening the message, removing pictures, removing formating etc.
so it doesnt look verynice, but I think the message is there.

Anyway, thanks for any hints:]

Try to get all Apps first to confirm your Identity is right, I think you need to pick the ID from the app list not the appid property.

Get-MgApplication

Yep, been there,

Graph API Endpoint Issue:

- The error you encountered with the Graph API endpoint (`GET https://graph.microsoft.com/v1.0/applications/0f78653b-2b30-47f2-9d09-3c17709f118a`) indicates that the specified application ID doesn't exist.

- Double-check the application ID (`$appId`) to ensure it's correct.

- If you're trying to retrieve permissions for an application, make sure you're using the correct endpoint. For application permissions, you should use `/servicePrincipals/{id}/appRoleAssignments`.

Hope that helps or puts you in the right area.

Hello @T Crha

I used this , seems to work

Login first witn Connect-MsGraph and ignore the next with N

Unless you miss the packages , i have some error but the list comes up

Install the Microsoft Graph PowerShell SDK if not already installed

Install-Module Microsoft.Graph

# Connect to Microsoft Graph

Connect-MgGraph -Scopes "Application.Read.All", "ServicePrincipal.Read.All"

# Get all Service Principals (Enterprise applications)

$servicePrincipals = Get-MgServicePrincipal

foreach ($sp in $servicePrincipals) {

# Get application role assignments (Application permissions)

$appRoleAssignments = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $sp.Id

# Construct report data

$reportData = [PSCustomObject]@{

"Application Name" = $sp.DisplayName

"Application ID" = $sp.AppId

"Owners" = ($sp.Owners | ForEach-Object { $_.DisplayName }) -join ", "

"Application Permissions" = ($appRoleAssignments | ForEach-Object {

$_.AppRoleId + " (" + ($_.ResourceDisplayName) + ")"

}) -join ", "

}

# Output or append to a CSV file

$reportData

}

--

I hope this helps!

Kindly mark the answer as Accepted and Upvote in case it helped!

Regards

Hello,

thank you very much for your answer. But when I do this, I hit the wall right at the start, because powershell tells me

Connect-MgGraph : InteractiveBrowserCredential authentication failed: AADSTS650053: The application 'Microsoft Graph Command Line Tools' asked for scope 'ServicePrincipal.Read.All' that doesn't exist on the resource '000000
03-0000-0000-c000-000000000000'. Contact the app vendor.

What does it mean? That in order to perform the Connect-MgGraph action I need to have an service principal within my Entra with the appropriate permissions?

Thanks a lot,

Tomas

Hi T Crha,

Thank you for posting in the Q&A Forums.

1. Query AppRoleAssignments using the Microsoft Graph API or PowerShell scripts

Application permissions are typically managed through AppRoleAssignments. You can query these role assignments using the Microsoft Graph API or the Microsoft Graph module of PowerShell.

Using the Microsoft Graph API

You can use the following Graph API request to get the role assignments for a specific Service Principal, which represents your Azure AD application:

http

GET https://graph.microsoft.com/v1.0/servicePrincipals/{servicePrincipalId}/appRoleAssignments

Replace {servicePrincipalId} with the Service Principal ID of your Azure AD application.

Using PowerShell

If you are using PowerShell and have installed the Microsoft Graph PowerShell SDK, you can try the following PowerShell commands (note: may need to be adjusted for the latest SDK and API changes):

powershell

Install-Module Microsoft.Graph

Connect-MgGraph -Scopes "AppRoleAssignment.

$servicePrincipalId = "Your service principal ID"

$roleAssignments = Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $servicePrincipalId

$roleAssignments | Select-Object -ExpandProperty AppRoleId, ResourceId, ResourceDisplayName

Note: You may need to adjust the scope of permissions (Scopes) according to your needs to ensure that you have enough permissions to perform these actions.

Best regards

NeuviJ

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Hello, many thanks for your reply, but I am getting into the same error as with the comment above yours - when executing
Connect-MgGraph -Scopes "AppRoleAssignment"
I get
Connect-MgGraph : AADSTS650053: The application 'Microsoft Graph Command Line Tools' asked for scope 'AppRoleAssignment' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'.

So it seems I need to somehow register an app and connect using that app, with grantd permissons?

Or maybe not? I am really not sure.

Thanks anyway!

Tomas