Share via

Generating Registered Applications in Azure, and the users that is granted access to the application

Michael Peralta 251 Reputation points
2023-11-30T20:44:24.5633333+00:00

Hi Everyone.

$apps = Get-AzureADServicePrincipal -All:$true | ? {$_.Tags -eq "WindowsAzureActiveDirectoryIntegratedApp"} 

($apps | ForEach-Object { 
Write-Host "Application Name: $($_.DisplayName)"     
Write-Host "Application ID: $($_.AppId)"     
Write-Host "Authorized Users:"     
Get-AzureADServiceAppRoleAssignment -ObjectId $_.ObjectId | Select-Object -ExpandProperty PrincipalDisplayName | Sort-Object -Unique | ForEach-Object {Write-Host "  - $_"}  }) | Export-Csv -Path C:\AzureApps.csv -NoTypeInformation

I have a problem with this code. My CSV output doesn't contain anything. But I see what I want to export with the write-host.

I am also hoping that I can return the email address of the accounts rather than the displayname and the option to filter it to return only if the email address does not contain, domain1.com or domain2.com.

Get-AzureADServiceAppRoleAssignment -ObjectId $_.ObjectId | Select-Object -ExpandProperty PrincipalDisplayName | Sort-Object -Unique | ForEach-Object {Write-Host "  - $_"}
Windows for business | Windows Server | User experience | PowerShell
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-12-05T07:59:01.3566667+00:00

    Hello Mike,

    You could try with the below sample:

    connect-azuread
$app= get-azureadserviceprincipal -all $true | where {$_.tags -eq "<Your app tag>"}
foreach($entry in $app){
  write-host "Application Name: $($entry.displayname)"
  $assignments=get-azureadserviceapproleassignment -objectid $entry.objectid
  if(!$assignments){
  write-host "No app assignments found"
}
else{
  foreach($assignment in $assignments){
    $user= get-azureaduser -filter "Displayname eq '$($assignment.principaldisplayname)'" | select userprincipalname,mail 
    if($user.mail -notlike "<Your domain name>"){
      write-host "user $($user.mail) has app role assigned in app $($assignment.resourcedisplayname)"}
    }
  }
}

    The result I got was:

    User's image

    I have 3 app role assigned for msalapp1 in total and with the filter only one showed in the result. This should be your expectation.

    If you need to exclude 2 domains, a nest if justification will be required since "or" condition can be passed in this case. Also, if you want an output, you can add the export function after the "if" justification for user mail.

    Best Regards,

    Ian Xue

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.