Application Single Sign-on

Nitin Rawool 0 Reputation points
2024-09-16T12:23:12.24+00:00

We need to identify which Enterprise applications are being used for Single Sign-On (SSO).

Azure Trusted Signing
Azure Trusted Signing
Trusted Signing is a Microsoft fully managed, end-to-end signing solution that simplifies the certificate signing process and helps partner developers more easily build and distribute applications.
93 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Givary-MSFT 32,581 Reputation points Microsoft Employee
    2024-09-17T06:34:35.8433333+00:00

    @Nitin Rawool Thank you for reaching out to us, As I understand you would like to identify which Enterprise applications are being used for Single Sign-On (SSO).

    Below script might help to achieve your ask

    1. The user has to be an Application Admin or Global Admin.
    2. The client needs to install the MgGraph PowerShell Module
    ############### Check for SAML APPs in the tenant ###############
    
    #Connect to modules
    Connect-MgGraph -scopes Application.Readwrite.All
    
    #create empy log (list)
    $Logs = @()
    
    #initialize Progress bar
    $pbCounter = 0
    
    #set csv file name
    $fileName = "<FILENAME>.csv"
    
    #path to save csv file without the filename itself
    $path_ = "<PATH_TO_FILE>\$fileName"
    
    #Visual indication of current proccess only
    Write-Host "Collectiong info..."
    
    #get all Apps
    $allApps = Get-MgServicePrincipal -All:$true 
    
    #cycle apps
    foreach ($app in $allApps) {
    
        #check if Null or Empty PreferredSingleSignOnMode
        [bool]$existsNoSSO= [string]::IsNullOrEmpty($app.PreferredSingleSignOnMode)
        
        #if Null or Empty -eq $false, PreferredSingleSignOnMode is defined
        if (!$existsNoSSO) {
    
            $Log = New-Object PSObject -Property @{
                
                #Get AppId for Current App
                "AppId" = $app.AppId
    
                #Get ObjectId for current App
                "ObjectId" = $app.ID
                
                #get App Display Name
                "DisplayName" = $app.DisplayName
                
                #Get SignOnMode for App
                "PreferredSingleSignOnMode" = $app.PreferredSingleSignOnMode
            }
    
            #increment to already existing log
            $Logs += $Log
    
        } else {
    
                # ...Other Actions
                
        }
    
        #export log to csv
        $Logs | Export-CSV -Path $path_ -NoTypeInformation -Encoding UTF8
    
        #progress Bar
        $pbCounter++
        Write-Progress -Activity 'Processing Apps' -CurrentOperation $app.DisplayName -PercentComplete (($pbCounter / $allApps.count) * 100)
    
    }
    #visual info of termination
    Write-Host "Finished!"
    

    The above script is based on the service principal parameter PreferedSingleSignOnMode.

    1. Service principal that have the PreferedSingleSignOnMode to True, have SAML enabled SSO.
    2. Service principal that the PrefereedSingleSingOnMode to null , might or might not be SAML enabled SSO (will not show up in the result script):
      • They might be OAuth Apps;
      • They might have been created prior to the API update that implemented the PreferedSingleSignOnMode attribute.

    Let me know if you have any further questions, feel free to post back.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.