Applications.ps1
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 |
<# The Get-GraphServicePrincipal function reworks work on service principals which was published by Justin Grote at https://github.com/JustinGrote/JustinGrote.Microsoft.Graph.Extensions/blob/main/src/Public/Get-MgO365ServicePrincipal.ps1 https://github.com/JustinGrote/JustinGrote.Microsoft.Graph.Extensions/blob/main/src/Public/Get-MgManagedIdentity.ps1 and https://github.com/JustinGrote/JustinGrote.Microsoft.Graph.Extensions/blob/main/src/Public/Get-MgAppRole.ps1 and licensed by him under the same MIT terms which apply to this module (see the LICENSE file for details) Portions of this file are Copyright 2021 Justin Grote @justinwgrote The remainder is Copyright 2018-2021 James O'Neill #> using namespace Microsoft.Graph.PowerShell.Models function Get-GraphServicePrincipal { <# .Synopsis Returns information about Service Principals .Description A replacement for the SDK's Get-MgServicePrincipal That has orderby which doesn't work - it's in the Docs but the API errors if you try It doesn't have search by name, or select Application or Managed IDs .Example PS > Get-GraphServicePrincipal "Microsoft graph" Id DisplayName AppId SignInAudience -- ----------- ----- -------------- 25b13fbf-2f44-457a-9e68-d3414fc97915 Microsoft Graph 00000003-0000-0000-c000-000000000000 AzureADMultipleOrgs 4e71d88a-0a46-4274-85b8-82ad86877010 Microsoft Graph Change Tracking 0bf30f3b-4a52-48df-9a82-234910c4a086 AzureADMultipleOrgs ... Run with just a name the command returns service principals with matching names. .Example PS >Get-GraphServicePrincipal 25b13fbf-2f44-457a-9e68-d3414fc97915 -ExpandAppRoles Value DisplayName Enabled Id ----- ----------- ------- -- AccessReview.Read.All Read all access reviews True d07a8cc0-3d51-4b77-b3b0-32704d1f69fa AccessReview.ReadWrite.All Manage all access reviews True ef5f7d5c-338f-44b0-86c3-351f46c8bb5f ... In this example GUID for Microsoft Graph was used from the previous example, and the command has listed the roles available to applications #> [CmdletBinding(DefaultParameterSetName='List1')] [OutputType([Microsoft.Graph.PowerShell.Models.IMicrosoftGraphAppRole],ParameterSetName=('AllRoles','FilteredRoles'))] [OutputType([Microsoft.Graph.PowerShell.Models.IMicrosoftGraphPermissionScope],ParameterSetName=('AllScopes','FilteredScopes'))] [OutputType([Microsoft.Graph.PowerShell.Models.IMicrosoftGraphServicePrincipal],ParameterSetName=('Get2','List1','List2','List3','List4'))] param ( [Parameter(ParameterSetName='AllRoles', Mandatory=$true, Position=0, ValueFromPipeline=$true)] [Parameter(ParameterSetName='FilteredRoles', Mandatory=$true, Position=0, ValueFromPipeline=$true)] [Parameter(ParameterSetName='AllScopes', Mandatory=$true, Position=0, ValueFromPipeline=$true)] [Parameter(ParameterSetName='FilteredScopes', Mandatory=$true, Position=0, ValueFromPipeline=$true)] [Parameter(ParameterSetName='Get2', Mandatory=$true, Position=0, ValueFromPipeline=$true)] #The GUID(s) for ServicePrincipal(s). Or SP objects. If a name is given instead, the command will try to resolve matching Service principals $ServicePrincipalId, [Parameter(ParameterSetName='List5')] [string]$AppId, #Produces a list filtered to only managed identities [Parameter(ParameterSetName='List2')] [switch]$ManagedIdentity, #Produces a list filtered to only applications [Parameter(ParameterSetName='List3')] [switch]$Application, #Produces a convenience list of office 365 security principals [Parameter(ParameterSetName='List4')] [switch]$O365ServicePrincipals, #Select properties to be returned [Alias('Select')] [String[]]$Property, #Filters items by property values [Parameter(ParameterSetName='List1')] [String]$Filter, #Search items by search phrases [Parameter(ParameterSetName='List1')] [Parameter(ParameterSetName='List2')] [Parameter(ParameterSetName='List3')] [String]$Search, #Returns the list of application roles to those the role name, displayname or ID match the parameter value. Wildcards are supported [Parameter(ParameterSetName='AllRoles', Mandatory=$true)] [switch]$ExpandAppRoles, #Filters the list of application roles available within a SP [Parameter(ParameterSetName='FilteredRoles', Mandatory=$true)] [string]$AppRoleFilter, #Returns the list of (user) oauth scopes available within a SP [Parameter(ParameterSetName='AllScopes', Mandatory=$true)] [switch]$ExpandScopes, #Filters the list of oauth scopes to those where the scope name, displayname or ID match the parameter value. Wildcards are supported [Parameter(ParameterSetName='FilteredScopes', Mandatory=$true)] [string]$ScopeFilter ) begin { Test-GraphSession [String]$managedIdentityFilter = @( '00000001-0000-0000-c000-000000000000' #Azure ESTS Service '00000007-0000-0000-c000-000000000000' #Common Data Service '0000000c-0000-0000-c000-000000000000' #Microsoft App Access Panel' '00000007-0000-0ff1-ce00-000000000000' #Microsoft Exchange Online Protection '00000003-0000-0000-c000-000000000000' #Microsoft Graph '00000006-0000-0ff1-ce00-000000000000' #Microsoft Office 365 Portal '00000012-0000-0000-c000-000000000000' #Microsoft Rights Management Services '00000008-0000-0000-c000-000000000000' #Microsoft.Azure.DataMarket '00000002-0000-0ff1-ce00-000000000000' #Office 365 Exchange Online '00000003-0000-0ff1-ce00-000000000000' #Office 365 SharePoint Online '00000009-0000-0000-c000-000000000000' #Power BI Service '00000004-0000-0ff1-ce00-000000000000' #Skype for Business Online '00000002-0000-0000-c000-000000000000' #Windows Azure Active Directory ).foreach{"appId eq '$PSItem'"} -join ' or ' } process { if ( -not $ServicePrincipalId) { if ($O365ServicePrincipals -and $PSBoundParameters['Filter']) { $PSBoundParameters['Filter'] ="( $($PSBoundParameters['Filter']) ) and $managedIdentityFilter" } elseif ($O365ServicePrincipals) { $PSBoundParameters['Filter'] = $managedIdentityFilter } elseif ($ManagedIdentity) { $PSBoundParameters['Filter']="servicePrincipaltype eq 'ManagedIdentity'" } elseif ($Application) { $PSBoundParameters['Filter']="servicePrincipaltype eq 'Application'" } elseif ($AppId) { $PSBoundParameters['Filter']="appid eq '$AppId'" } foreach ($param in @('Application', 'AppId', 'ManagedIdentity', 'O365ServicePrincipals')) { [void]$PSBoundParameters.Remove($param ) } Microsoft.Graph.Applications.private\Get-MgServicePrincipal_List1 @PSBoundParameters -all -ConsistencyLevel Eventual | Sort-Object displayname } else { foreach ($param in @('ServicePrincipalId', 'ExpandAppRoles', 'ExpandScopes', 'AppRoleFilter', 'ScopeFilter')) { [void]$PSBoundParameters.Remove($param ) } foreach ($sp in $ServicePrincipalId) { $result = $null if ($sp -match $GUIDRegex) { $uri = "$GraphUri/servicePrincipals/$sp" if ($Property) {$uri += '?$select=' +($property -join ',')} try { $result = Invoke-GraphRequest $uri -AsType ([MicrosoftGraphServicePrincipal]) } catch { if ($_.Exception.Response.StatusCode.value__ -eq 404) { Write-Warning "$sp was not found as a service principal ID. It may be an App ID."; continue } else {throw $_.Exception } } } else { [void]$PSBoundParameters.Remove('ServicePrincipalId') $psboundParameters['Filter']="startswith(displayName,'$sp')" $result = Microsoft.Graph.Applications.private\Get-MgServicePrincipal_List1 @PSBoundParameters -ConsistencyLevel Eventual | Sort-Object displayname } if ($AppRoleFilter) { $result | Select-Object -ExpandProperty approles | Where-Object {$_.id -like $AppRoleFilter -or $_.DisplayName -like $AppRoleFilter -or $_.value -like $AppRoleFilter } | Sort-Object -Property Value } elseif ($ExpandAppRoles) { $result | Select-Object -ExpandProperty approles | Sort-Object -Property Value } elseif ($ScopeFilter) { $result | Select-Object -ExpandProperty Oauth2PermissionScopes | Where-Object {$_.id -like $ScopeFilter -or $_.AdminConsentDisplayName -like $ScopeFilter -or $_.value -like $ScopeFilter } | Sort-Object -Property Value } elseif ($ExpandScopes) { $result | Select-Object -ExpandProperty Oauth2PermissionScopes | Sort-Object -Property Value } else {$result} } } } } |