stackoom
  简体   繁体   中英

Retrieve "API Permissions" of Azure AD Application via PowerShell

 原文  2020-03-20 06:06:51       azure/ powershell/ azure-active-directory

Question

For reporting and monitoring purpose do I like to retrieve the information shown in the Azure portal for an application (App Registration) for "API permissions".

I have tried the following code

$app = Get-AzureADApplication -ObjectId 'aa7e174d-2639-4ac7-9b11-6799466c3c9b'
$app.Oauth2Permissions

But this yields only the following information:

AdminConsentDescription : Allow the application to access foobar_HVV on behalf of the signed-in user.
AdminConsentDisplayName : Access foobar_HVV
Id                      : h1285f9d5-b00d-4bdb-979d-c4d6487fa000
IsEnabled               : True
Type                    : User
UserConsentDescription  : Allow the application to access foobar_HVV on your behalf.
UserConsentDisplayName  : Access foobar_HVV
Value                   : user_impersonation

But "API Permissions" for the application "foobar_HVV" shows totally different permissions. Especially the "Typ" (Delegate, Application) and the "Status" per permission are needed for my report.

2 answers

solution1
 8 ACCPTED  2020-03-23 02:25:13

If you want to get the API permissions , you need to use the command below.

$app = Get-AzureADApplication -ObjectId '<object-id of the App Registration>'
$app.requiredResourceAccess | ConvertTo-Json -Depth 3

在此处输入图片说明

The ResourceAppId is the Application ID of the service principal of the API eg Microsoft Graph , the ResourceAccess includes the permissions you added to the app, the Scope means the Delegated permission , Role means the Application permission .

My API permissions:

在此处输入图片说明

To check the details of the API permissions , you need to use the command below. For example, we want to know the details of the permission whose Id is 5b567255-7703-4780-807c-7be8301ae99b in the screenshot, its Type is Role , so we need to use $sp.AppRoles .

$sp = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq '00000003-0000-0000-c000-000000000000'}
$sp.AppRoles | Where-Object {$_.Id -eq '5b567255-7703-4780-807c-7be8301ae99b'}

在此处输入图片说明

If you want to get the Delegated permission ( Type is Scope ), we need to use:

$sp = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq '00000003-0000-0000-c000-000000000000'}
$sp.Oauth2Permissions | Where-Object {$_.Id -eq 'e1fe6dd8-ba31-4d61-89e7-88639da4683d'}

在此处输入图片说明

To check Status , there is no direct way, you need to check the permissions granted by the admin of the service principal corresponds to the AD App in your AAD tenant.

First, get the service principal $appsp :

$app = Get-AzureADApplication -ObjectId '<object-id of the App Registration>'
$appsp = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $app.AppId}

Get the Delegated permissions which has been granted( Status is Granted ):

Get-AzureADServicePrincipalOAuth2PermissionGrant -ObjectId $appsp.ObjectId -All $true | ConvertTo-Json

在此处输入图片说明

The ResourceId is the Object Id of the service principal of the API:

在此处输入图片说明

Get the Application permissions which has been granted( Status is Granted ):

Get-AzureADServiceAppRoleAssignedTo -ObjectId $appsp.ObjectId | ConvertTo-Json

The Id is the Id in the ResourceAccess in the first screenshot.

在此处输入图片说明

If the permission has not been granted( Status is Not Granted ), you will not get the permission with the command above.

For example, I add a new Application permission in the portal, then run the command again, we can still get the permission which has been granted.

在此处输入图片说明

在此处输入图片说明

solution2
 0  2021-11-08 22:19:32

Looking after a new Solution using the 7.1 PowerShell and Az Client I've wrote follwing Script to solve this Issue:

# loop in all Applications then every Application Loop this one to 
$sp = $sp = az ad app list --display-name "yourapplication"
$spIdList = ($sp |ConvertFrom-Json -AsHashtable).requiredResourceAccess.resourceAccess
# retreive the ID from Bucket
$RoleAppID = ($sp| ConvertFrom-Json ).requiredResourceAccess.resourceAppId
## receive all Roles and lookup inside
$appRolesArray = (az ad sp show --id $RoleAppID | ConvertFrom-Json -AsHashtable ).appRoles
 
$listRoles = @()
foreach ($itemSpId in $spIdList) {
    $itemSpId.id
     
    foreach($item in $appRolesArray ) {
        if ( $item.id -eq $itemSpId.id ){
            $listRoles += $item
            $item
        }
    }
}
$listRoles.count

now you can do whatever you want with the List of those objects.

The Goal was to use the "az client"

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Powershell - Do “Grant Permissions” action on Azure AD Application with Powershell Azure AD application adding a key via Powershell Azure AD - Custom Application Roles via Powershell Azure AD App Registration via Powershell: How to ensure the proper permissions? Why is "Application permissions" disabled in Azure AD's "Request API permissions"? Give Azure application permissions over API such as “Office SharePoint Online” via PowerShell Is there a way to retrieve the client secret of an Azure AD application using PowerShell? Give permissions to graph api in enterprise application Azure AD Application Permissions greyed out when requesting API Permission in Azure AD How to export delegated permissions assigned to azure app registration using azure-AD module via PowerShell
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM