git/Module/Get-AadServicePrincipalAccess.ps1
<# .SYNOPSIS Gets information for what access a Service Principal/Application has access to. .DESCRIPTION Gets information for what access a Service Principal/Application has access to. .PARAMETER Id Provide the Service Principal ID .EXAMPLE Get-AadServicePrincipalAccess -Id 'Your Application Name, AppId, or Service Principal Object Id' .NOTES General notes #> Set-Alias -Name Get-AadSpAccess -Value Get-AadServicePrincipalAccess function Get-AadServicePrincipalAccess { param( [Parameter( mandatory=$true, ValueFromPipeline = $true)] $Id ) # REQUIRE AadSupport if($global:AadSupportModule) { Connect-AadSupport } # END REGION $TenantDomain = $Global:AadSupport.Session.TenantDomain $sp = (Get-AadServicePrincipal -Id $Id) if(-not $sp) { throw "'$Id' not found in '$TenantDomain'" } Write-Host "Enterprise App (ServicePrincipal)" -ForegroundColor Yellow $sp | Select-Object DisplayName, AppId, ObjectId | Format-Table if($sp.count -gt 1) { throw "'$Id' query returned more than one result. Please provide a unique Service Principal Identifier" } Write-Host "++++++++++++++++++++++++++++++++++++++++++++++++++++++++" Write-Host "Getting Azure AD Directory Roles assigned to Service Principal..." -ForegroundColor Yellow Get-AadServicePrincipalAdminRoles -ObjectId $sp.ObjectId Write-Host "++++++++++++++++++++++++++++++++++++++++++++++++++++++++" Write-Host "Getting App Roles (Application Permissions) assigned to Service Principal..." -ForegroundColor Yellow Get-AadServicePrincipalAppRoles -ObjectId $sp.ObjectId Write-Host "++++++++++++++++++++++++++++++++++++++++++++++++++++++++" Write-Host "Getting OAuth2PermissionGrants (Delegated Permissions) assigned to Service Principal..." -ForegroundColor Yellow Get-AadServicePrincipalGrants -ObjectId $sp.ObjectId Write-Host "++++++++++++++++++++++++++++++++++++++++++++++++++++++++" Write-Host "Getting Key Vault Access assigned to Service Principal..." -ForegroundColor Yellow Get-AadServicePrincipalKeyVaultAccess -ObjectId $sp.ObjectId } <# .SYNOPSIS # .DESCRIPTION Long description .PARAMETER ObjectId Parameter description .EXAMPLE An example .NOTES General notes #> Set-Alias -Name Get-AadSpAdminRoles -Value Get-AadServicePrincipalAdminRoles function Get-AadServicePrincipalAdminRoles { # THIS FUNCTION IS STANDALONE param( [Parameter( mandatory=$true, ValueFromPipeline = $true)] $ObjectId ) # REQUIRE AadSupport if($Global:AadSupportModule) { Connect-AadSupport } # END REGION $roles = Get-AzureADDirectoryRole $AdminRoleList = @() $AadAdminCount = 0 foreach ($role in $roles) { $members = Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId foreach ($member in $members) { if($member.ObjectId -eq $ObjectId) { $AdminRoleList += [PSCustomObject]@{ RoleDisplayName = $role.DisplayName; RoleId = $role.ObjectId; } $AadAdminCount++ } } } # Output Admin Roles $AdminRoleList | Format-Table RoleDisplayName, RoleId if ($AadAdminCount -eq 0) { Write-Host "None" Write-Host "" return } Write-Host "To remove a Directory Role... (Example)" $ExampleId = $AdminRoleList[0].RoleId Write-Host "Remove-AzureADDirectoryRoleMember -ObjectId $ExampleId -MemberId $ObjectId" Write-Host "" } <# .SYNOPSIS # .DESCRIPTION Long description .PARAMETER ObjectId Parameter description .EXAMPLE An example .NOTES General notes #> Set-Alias -Name Get-AadSpGrants -Value Get-AadServicePrincipalGrants function Get-AadServicePrincipalGrants { # THIS FUNCTION IS STANDALONE param( [Parameter( mandatory=$true, ValueFromPipeline = $true)] $ObjectId ) # REQUIRE AadSupport if($global:AadSupportModule) { Connect-AadSupport } # END REGION $GrantList = @() $grants = Get-AzureADServicePrincipalOAuth2PermissionGrant -ObjectId $ObjectId $count = 0 foreach ($grant in $grants) { $resource = (Get-AzureADServicePrincipal -ObjectId $grant.ResourceId) if ($grant.ConsentType -eq "AllPrincipals") { $PrincipalId = "AllPrincipals" } else { $PrincipalId = (Get-AzureAdUser -ObjectId $grant.PrincipalId).UserPrincipalName } $GrantList += [PSCustomObject]@{ Resource = $resource.DisplayName; PrincipalId = $PrincipalId Id = $grant.ObjectId Scope = $grant.Scope } $count++ } # Output App Roles $GrantList | Sort-Object Resource | Format-List if ($count -eq 0) { Write-Host "None" Write-Host "" return } Write-Host "To remove a OAuth2 permission grant... (Example)" $ExampleId = $GrantList[0].Id Write-Host "Remove-AzureADOAuth2PermissionGrant -ObjectId $ExampleId" Write-Host "" } function Get-AadServicePrincipalKeyVaultAccess { # THIS FUNCTION IS STANDALONE param( [Parameter( mandatory=$true, ValueFromPipeline = $true)] $ObjectId ) # REQUIRE AadSupport if($global:AadSupportModule) { Connect-AadSupport } # END REGION $subscriptions = Get-AzSubscription -TenantId $Global:AadSupport.Session.TenantId $Policies = @() $count = 0 foreach($sub in $subscriptions) { if($sub.Name -ne "Access to Azure Active Directory") { Write-Host "Checking Subscription '$($sub.Name) (Id:$($sub.id))' " Set-AzContext -SubscriptionId $sub.id | Out-Null $KeyVaults = Get-AzKeyVault foreach($KeyVaultItem in $KeyVaults) { $KeyVaultName = $KeyVaultItem.VaultName Write-Host "Checking Key Vault '$KeyVaultName'" $kv = Get-AzKeyVault -VaultName $KeyVaultName foreach($policy in $kv.AccessPolicies) { if($policy.ObjectId -eq $ObjectId) { $policy = $policy | Select-Object PermissionsToKeys, PermissionsToSecrets, PermissionsToCertificates, PermissionsToStorage $policy | Format-List -Force $count++ } } if ($count -eq 0) { Write-Host "None" Write-Host "" } $count = 0 } } } } |