還原授與應用程式的撤銷許可權
在本文中,您將瞭解如何還原先前授與給應用程式的許可權。 您可以還原已授與存取組織資料之許可權的應用程式許可權。 您也可以還原已授與許可權之應用程式的許可權,以做為使用者。
目前,只有透過 Microsoft Graph PowerShell 和 Microsoft Graph API 呼叫,才能還原許可權。 您無法透過 Microsoft Entra 系統管理中心還原許可權。 在本文中,您將瞭解如何使用 Microsoft Graph PowerShell 還原許可權。
必要條件
若要還原先前撤銷的應用程式許可權,您需要:
- 具有有效訂用帳戶的 Azure 帳戶。 免費建立帳戶。
- 下列其中一個角色:全域管理員istrator、Cloud Application 管理員istrator、Application 管理員istrator。
- 不是系統管理員的服務主體擁有者能夠使重新整理權杖失效。
還原應用程式的撤銷許可權
您可以嘗試不同的方法來還原許可權:
- 使用 [許可權 ] 頁面上的 [ 授與管理員同意 ] 按鈕 ,讓應用程式再次套用同意。 此同意會套用應用程式開發人員原本在應用程式資訊清單中要求的許可權集。
注意
Regranting 管理員同意將會移除任何未屬於開發人員所設定之預設集合的已授與許可權。
- 如果您知道撤銷的特定許可權,您可以使用 PowerShell 或 Microsoft Graph API 再次授 與它。
- 如果您不知道撤銷的許可權,您可以使用本文中提供的腳本來偵測和還原撤銷的許可權。
首先,將腳本中的 servicePrincipalId 值設定為您想要還原其許可權的企業應用程式識別碼值。 此識別碼也會在 Microsoft Entra 系統管理中心 企業應用程式 頁面中呼叫 object ID 。
然後,使用 $ForceGrantUpdate = $false 執行每個腳本,以查看可能已移除的委派或僅限應用程式許可權清單。 即使已還原許可權,您稽核記錄中的撤銷事件仍可能會出現在腳本結果中。
如果您想要讓腳本嘗試還原它偵測到的任何撤銷許可權,請 $ForceGrantUpdate 保留設定 $true 為 。 腳本會要求確認,但不會針對所還原的每個許可權要求個別核准。
授與應用程式許可權時請小心。 若要深入瞭解如何評估許可權,請參閱 評估許可權 。
還原委派的許可權
# WARNING: Setting $ForceGrantUpdate to true will modify permission grants without
# prompting for confirmation. This can result in unintended changes to your
# application's security settings. Use with caution!
$ForceGrantUpdate = $false
# Set the start and end dates for the audit log search
# If setting date use yyyy-MM-dd format
# endDate is set to tomorrow to include today's audit logs
$startDate = (Get-Date).AddDays(-7).ToString('yyyy-MM-dd')
$endDate = (Get-Date).AddDays(1).ToString('yyyy-MM-dd')
# Set the service principal ID
$servicePrincipalId = "efe87e5d-05cb-4b19-9b36-1eb923448697"
Write-Host "Searching for audit logs between $startDate and $endDate" -ForegroundColor Green
Write-Host "Searching for audit logs for service principal $servicePrincipalId" -ForegroundColor Green
if ($ForceGrantUpdate -eq $true) {
Write-Host "WARNING: ForceGrantUpdate is set to true. This will modify permission grants without prompting for confirmation. This can result in unintended changes to your application's security settings. Use with caution!" -ForegroundColor Red
$continue = Read-Host "Do you want to continue? (Y/N)"
if ($continue -eq "Y" -or $continue -eq "y") {
Write-Host "Continuing..."
} else {
Write-Host "Exiting..."
exit
}
}
# Connect to MS Graph
Connect-MgGraph -Scopes "AuditLog.Read.All","DelegatedPermissionGrant.ReadWrite.All" -ErrorAction Stop | Out-Null
# Create a hashtable to store the OAuth2PermissionGrants
$oAuth2PermissionGrants = @{}
function Merge-Scopes($oldScopes, $newScopes) {
$oldScopes = $oldScopes.Trim() -split '\s+'
$newScopes = $newScopes.Trim() -split '\s+'
$mergedScopesArray = $oldScopes + $newScopes | Select-Object -Unique
$mergedScopes = $mergedScopesArray -join ' '
return $mergedScopes.Trim()
}
# Function to merge scopes if multiple OAuth2PermissionGrants are found in the audit logs
function Add-Scopes($resourceId, $newScopes) {
if($oAuth2PermissionGrants.ContainsKey($resourceId)) {
$oldScopes = $oAuth2PermissionGrants[$resourceId]
$oAuth2PermissionGrants[$resourceId] = Merge-Scopes $oldScopes $newScopes
}
else {
$oAuth2PermissionGrants[$resourceId] = $newScopes
}
}
function Get-ScopeDifference ($generatedScope, $currentScope) {
$generatedScopeArray = $generatedScope.Trim() -split '\s+'
$currentScopeArray = $currentScope.Trim() -split '\s+'
$difference = $generatedScopeArray | Where-Object { $_ -notin $currentScopeArray }
$difference = $difference -join ' '
return $difference.Trim()
}
# Set the filter for the audit log search
$filterOAuth2PermissionGrant = "activityDateTime ge $startDate and activityDateTime le $endDate" +
" and Result eq 'success'" +
" and ActivityDisplayName eq 'Remove delegated permission grant'" +
" and targetResources/any(x: x/id eq '$servicePrincipalId')"
try {
# Retrieve the audit logs for removed OAuth2PermissionGrants
$oAuth2PermissionGrantsAuditLogs = Get-MgAuditLogDirectoryAudit -Filter $filterOAuth2PermissionGrant -All -ErrorAction Stop
}
catch {
Disconnect-MgGraph | Out-Null
throw $_
}
# Remove User Delegated Permission Grants
$oAuth2PermissionGrantsAuditLogs = $oAuth2PermissionGrantsAuditLogs | Where-Object {
-not ($_.TargetResources.ModifiedProperties.OldValue -eq '"Principal"')
}
# Merge duplicate OAuth2PermissionGrants from AuditLogs using Add-Scopes
foreach ($auditLog in $oAuth2PermissionGrantsAuditLogs) {
$resourceId = $auditLog.TargetResources[0].Id
# We only want to process OAuth2PermissionGrant Audit Logs where $servicePrincipalId is the clientId not the resourceId
if ($resourceId -eq $servicePrincipalId) {
continue
}
$oldScope = $auditLog.TargetResources[0].ModifiedProperties | Where-Object { $_.DisplayName -eq "DelegatedPermissionGrant.Scope" } | Select-Object -ExpandProperty OldValue
if ($oldScope -eq $null) {
$oldScope = ""
}
$oldScope = $oldScope.Replace('"', '')
$newScope = $auditLog.TargetResources[0].ModifiedProperties | Where-Object { $_.DisplayName -eq "DelegatedPermissionGrant.Scope" } | Select-Object -ExpandProperty NewValue
if ($newScope -eq $null) {
$newScope = ""
}
$newScope = $newScope.Replace('"', '')
$scope = Merge-Scopes $oldScope $newScope
Add-Scopes $resourceId $scope
}
$permissionCount = 0
foreach ($resourceId in $oAuth2PermissionGrants.keys) {
$scope = $oAuth2PermissionGrants[$resourceId]
$params = @{
clientId = $servicePrincipalId
consentType = "AllPrincipals"
resourceId = $resourceId
scope = $scope
}
try {
$currentOAuth2PermissionGrant = Get-MgOauth2PermissionGrant -Filter "clientId eq '$servicePrincipalId' and consentType eq 'AllPrincipals' and resourceId eq '$resourceId'" -ErrorAction Stop
$action = "Creating"
if ($currentOAuth2PermissionGrant -ne $null) {
$action = "Updating"
}
Write-Host "--------------------------"
if ($ForceGrantUpdate -eq $true) {
Write-Host "$action OAuth2PermissionGrant with the following parameters:"
} else {
Write-Host "Potentially removed OAuth2PermissionGrant scopes with the following parameters:"
}
Write-Host " clientId: $($params.clientId)"
Write-Host " consentType: $($params.consentType)"
Write-Host " resourceId: $($params.resourceId)"
if ($currentOAuth2PermissionGrant -ne $null) {
$scopeDifference = Get-ScopeDifference $scope $currentOAuth2PermissionGrant.Scope
if ($scopeDifference -eq "") {
Write-Host "OAuth2PermissionGrant already exists with the same scope" -ForegroundColor Yellow
if ($ForceGrantUpdate -eq $true) {
Write-Host "Skipping Update" -ForegroundColor Yellow
}
continue
}
else {
Write-Host " scope diff: '$scopeDifference'"
}
}
else {
Write-Host " scope: '$($params.scope)'"
}
if ($ForceGrantUpdate -eq $true -and $currentOAuth2PermissionGrant -eq $null) {
New-MgOauth2PermissionGrant -BodyParameter $params -ErrorAction Stop | Out-Null
Write-Host "OAuth2PermissionGrant was created successfully" -ForegroundColor Green
}
if ($ForceGrantUpdate -eq $true -and $currentOAuth2PermissionGrant -ne $null) {
Write-Host " Current Scope: '$($currentOAuth2PermissionGrant.scope)'" -ForegroundColor Yellow
Write-Host " Merging with scopes from audit logs" -ForegroundColor Yellow
$params.scope = Merge-Scopes $currentOAuth2PermissionGrant.scope $params.scope
Write-Host " New Scope: '$($params.scope)'" -ForegroundColor Yellow
Update-MgOauth2PermissionGrant -OAuth2PermissionGrantId $currentOAuth2PermissionGrant.id -BodyParameter $params -ErrorAction Stop | Out-Null
Write-Host "OAuth2PermissionGrant was updated successfully" -ForegroundColor Green
}
$permissionCount++
}
catch {
Disconnect-MgGraph | Out-Null
throw $_
}
}
Disconnect-MgGraph | Out-Null
if ($ForceGrantUpdate -eq $true) {
Write-Host "--------------------------"
Write-Host "$permissionCount OAuth2PermissionGrants were created/updated successfully" -ForegroundColor Green
} else {
Write-Host "--------------------------"
Write-Host "$permissionCount OAuth2PermissionGrants were found" -ForegroundColor Green
}
還原僅限應用程式的許可權
注意
授與僅限應用程式的 Microsoft Graph 許可權需要全域管理員角色。
# WARNING: Setting $ForceGrantUpdate to true will modify permission grants without
# prompting for confirmation. This can result in unintended changes to your
# application's security settings. Use with caution!
$ForceGrantUpdate = $false
# Set the start and end dates for the audit log search
# If setting date use yyyy-MM-dd format
# endDate is set to tomorrow to include today's audit logs
$startDate = (Get-Date).AddDays(-7).ToString('yyyy-MM-dd')
$endDate = (Get-Date).AddDays(1).ToString('yyyy-MM-dd')
# Set the service principal ID
$servicePrincipalId = "efe87e5d-05cb-4b19-9b36-1eb923448697"
Write-Host "Searching for audit logs between $startDate and $endDate" -ForegroundColor Green
Write-Host "Searching for audit logs for service principal $servicePrincipalId" -ForegroundColor Green
if ($ForceGrantUpdate -eq $true) {
Write-Host "WARNING: ForceGrantUpdate is set to true. This will modify permission grants without prompting for confirmation. This can result in unintended changes to your application's security settings. Use with caution!" -ForegroundColor Red
$continue = Read-Host "Do you want to continue? (Y/N)"
if ($continue -eq "Y" -or $continue -eq "y") {
Write-Host "Continuing..."
} else {
Write-Host "Exiting..."
exit
}
}
# Connect to MS Graph
Connect-MgGraph -Scopes "AuditLog.Read.All","Application.Read.All","AppRoleAssignment.ReadWrite.All" -ErrorAction Stop | Out-Null
# Set the filter for the audit log search
$filterAppRoleAssignment = "activityDateTime ge $startDate and activityDateTime le $endDate" +
" and Result eq 'success'" +
" and ActivityDisplayName eq 'Remove app role assignment from service principal'" +
" and targetResources/any(x: x/id eq '$servicePrincipalId')"
try {
# Retrieve the audit logs for removed AppRoleAssignments
$appRoleAssignmentsAuditLogs = Get-MgAuditLogDirectoryAudit -Filter $filterAppRoleAssignment -All -ErrorAction Stop
}
catch {
Disconnect-MgGraph | Out-Null
throw $_
}
$permissionCount = 0
foreach ($auditLog in $appRoleAssignmentsAuditLogs) {
$resourceId = $auditLog.TargetResources[0].Id
# We only want to process AppRoleAssignments Audit Logs where $servicePrincipalId is the principalId not the resourceId
if ($resourceId -eq $servicePrincipalId) {
continue
}
$appRoleId = $auditLog.TargetResources[0].ModifiedProperties | Where-Object { $_.DisplayName -eq "AppRole.Id" } | Select-Object -ExpandProperty OldValue
$appRoleId = $appRoleId.Replace('"', '')
$params = @{
principalId = $servicePrincipalId
resourceId = $resourceId
appRoleId = $appRoleId
}
try {
$sp = Get-MgServicePrincipal -ServicePrincipalId $resourceId
$appRole = $sp.AppRoles | Where-Object { $_.Id -eq $appRoleId }
Write-Host "--------------------------"
if ($ForceGrantUpdate -eq $true) {
Write-Host "Creating AppRoleAssignment with the following parameters:"
} else {
Write-Host "Potentially removed AppRoleAssignment with the following parameters:"
}
Write-Host " principalId: $($params.principalId)"
Write-Host " resourceId: $($params.resourceId)"
Write-Host " appRoleId: $($params.appRoleId)"
Write-Host " appRoleValue: $($appRole.Value)"
Write-Host " appRoleDisplayName: $($appRole.DisplayName)"
if ($ForceGrantUpdate -eq $true) {
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $servicePrincipalId -BodyParameter $params -ErrorAction Stop | Out-Null
Write-Host "AppRoleAssignment was created successfully" -ForegroundColor Green
}
$permissionCount++
}
catch {
if ($_.Exception.Message -like "*Permission being assigned already exists on the object*") {
Write-Host "AppRoleAssignment already exists skipping creation" -ForegroundColor Yellow
}
else {
Disconnect-MgGraph | Out-Null
throw $_
}
}
}
Disconnect-MgGraph | Out-Null
if ($ForceGrantUpdate -eq $true) {
Write-Host "--------------------------"
Write-Host "$permissionCount AppRoleAssignments were created successfully" -ForegroundColor Green
} else {
Write-Host "--------------------------"
Write-Host "$permissionCount AppRoleAssignments were found" -ForegroundColor Green
}