@Nitin Rawool Thank you for reaching out to us, As I understand you would like to identify which Enterprise applications are being used for Single Sign-On (SSO).
Below script might help to achieve your ask
- The user has to be an Application Admin or Global Admin.
- The client needs to install the MgGraph PowerShell Module
############### Check for SAML APPs in the tenant ###############
#Connect to modules
Connect-MgGraph -scopes Application.Readwrite.All
#create empy log (list)
$Logs = @()
#initialize Progress bar
$pbCounter = 0
#set csv file name
$fileName = "<FILENAME>.csv"
#path to save csv file without the filename itself
$path_ = "<PATH_TO_FILE>\$fileName"
#Visual indication of current proccess only
Write-Host "Collectiong info..."
#get all Apps
$allApps = Get-MgServicePrincipal -All:$true
#cycle apps
foreach ($app in $allApps) {
#check if Null or Empty PreferredSingleSignOnMode
[bool]$existsNoSSO= [string]::IsNullOrEmpty($app.PreferredSingleSignOnMode)
#if Null or Empty -eq $false, PreferredSingleSignOnMode is defined
if (!$existsNoSSO) {
$Log = New-Object PSObject -Property @{
#Get AppId for Current App
"AppId" = $app.AppId
#Get ObjectId for current App
"ObjectId" = $app.ID
#get App Display Name
"DisplayName" = $app.DisplayName
#Get SignOnMode for App
"PreferredSingleSignOnMode" = $app.PreferredSingleSignOnMode
}
#increment to already existing log
$Logs += $Log
} else {
# ...Other Actions
}
#export log to csv
$Logs | Export-CSV -Path $path_ -NoTypeInformation -Encoding UTF8
#progress Bar
$pbCounter++
Write-Progress -Activity 'Processing Apps' -CurrentOperation $app.DisplayName -PercentComplete (($pbCounter / $allApps.count) * 100)
}
#visual info of termination
Write-Host "Finished!"
The above script is based on the service principal parameter PreferedSingleSignOnMode.
- Service principal that have the PreferedSingleSignOnMode to True, have SAML enabled SSO.
- Service principal that the PrefereedSingleSingOnMode to null , might or might not be SAML enabled SSO (will not show up in the result script):
- They might be OAuth Apps;
- They might have been created prior to the API update that implemented the PreferedSingleSignOnMode attribute.
Let me know if you have any further questions, feel free to post back.