Get-AADToolkitApplicationCredentials.ps1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
<#
 .Synopsis
  Gets a report of all the applications and service principals in this tenant that have either a password or client secret
 
 .Description
  This functions returns a list of all applications and service principals that have a credential
 
 .Example
  Get-AADToolkitApplicationCredentials | Export-Csv -Path '.\AppPermissions.csv' -NoTypeInformation
  Generates a CSV report of all applications and service principals with credentials.
#>


function Get-AADToolkitApplicationCredentials {
    function Get-CredentialInfo ($objectType, $item, $cred, $credentialType)
    {
        [pscustomobject]@{
            ObjectId = $item.id
            AppDisplayName = $item.displayName
            ObjectType = $objectType
            AppId = $item.appId
            Credentialtype = $credentialType
            KeyId = $cred.keyId
            Hint = $cred.hint
            CredDisplayName = $cred.displayName
            StartDateTime = $cred.startDateTime
            EndDateTime = $cred.endDateTime
            KeyType = $cred.type
            Usage = $cred.usage
        }
    }

    function Get-CredentialReport ($objectType)
    {
        $reportJson = Invoke-AADTGraph -Uri "/$objectType"        
        do
        {
            foreach($item in $reportJson.value)
            {
                foreach($cred in $item.passwordCredentials)
                {
                    Get-CredentialInfo $objectType $item $cred "PasswordCredential"
                }
                foreach($cred in $item.keyCredentials)
                {
                    Get-CredentialInfo $objectType $item $cred "KeyCredential"
                }
            }
            if($null -ne $reportJson.'@odata.nextLink') { $reportJson = Invoke-GraphRequest -Uri $reportJson.'@odata.nextLink' }
        } while ($null -ne $reportJson.'@odata.nextLink')     
    }

    Get-CredentialReport "applications"
    Get-CredentialReport "servicePrincipals"
}