Generating Registered Applications in Azure, and the users that is granted access to the application

Mike 246 Reputation points
2023-11-30T20:44:24.5633333+00:00

Hi Everyone.

$apps = Get-AzureADServicePrincipal -All:$true | ? {$_.Tags -eq "WindowsAzureActiveDirectoryIntegratedApp"} 

($apps | ForEach-Object { 
Write-Host "Application Name: $($_.DisplayName)"     
Write-Host "Application ID: $($_.AppId)"     
Write-Host "Authorized Users:"     
Get-AzureADServiceAppRoleAssignment -ObjectId $_.ObjectId | Select-Object -ExpandProperty PrincipalDisplayName | Sort-Object -Unique | ForEach-Object {Write-Host "  - $_"}  }) | Export-Csv -Path C:\AzureApps.csv -NoTypeInformation 

I have a problem with this code. My CSV output doesn't contain anything. But I see what I want to export with the write-host.

I am also hoping that I can return the email address of the accounts rather than the displayname and the option to filter it to return only if the email address does not contain, domain1.com or domain2.com.

Get-AzureADServiceAppRoleAssignment -ObjectId $_.ObjectId | Select-Object -ExpandProperty PrincipalDisplayName | Sort-Object -Unique | ForEach-Object {Write-Host "  - $_"}
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,460 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Ian Xue (Shanghai Wicresoft Co., Ltd.) 34,271 Reputation points Microsoft Vendor
    2023-12-05T07:59:01.3566667+00:00

    Hello Mike,

    You could try with the below sample:

    connect-azuread
    $app= get-azureadserviceprincipal -all $true | where {$_.tags -eq "<Your app tag>"}
    foreach($entry in $app){
      write-host "Application Name: $($entry.displayname)"
      $assignments=get-azureadserviceapproleassignment -objectid $entry.objectid
      if(!$assignments){
      write-host "No app assignments found"
    }
    else{
      foreach($assignment in $assignments){
        $user= get-azureaduser -filter "Displayname eq '$($assignment.principaldisplayname)'" | select userprincipalname,mail 
        if($user.mail -notlike "<Your domain name>"){
          write-host "user $($user.mail) has app role assigned in app $($assignment.resourcedisplayname)"}
        }
      }
    }
    

    The result I got was:

    User's image

    I have 3 app role assigned for msalapp1 in total and with the filter only one showed in the result. This should be your expectation.

    If you need to exclude 2 domains, a nest if justification will be required since "or" condition can be passed in this case. Also, if you want an output, you can add the export function after the "if" justification for user mail.

    Best Regards,

    Ian Xue


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments