For reporting and monitoring purpose do I like to retrieve the information shown in the Azure portal for an application (App Registration) for "API permissions".
I have tried the following code
$app = Get-AzureADApplication -ObjectId 'aa7e174d-2639-4ac7-9b11-6799466c3c9b'
$app.Oauth2Permissions
But this yields only the following information:
AdminConsentDescription : Allow the application to access foobar_HVV on behalf of the signed-in user.
AdminConsentDisplayName : Access foobar_HVV
Id : h1285f9d5-b00d-4bdb-979d-c4d6487fa000
IsEnabled : True
Type : User
UserConsentDescription : Allow the application to access foobar_HVV on your behalf.
UserConsentDisplayName : Access foobar_HVV
Value : user_impersonation
But "API Permissions" for the application "foobar_HVV" shows totally different permissions. Especially the "Typ" (Delegate, Application) and the "Status" per permission are needed for my report.
If you want to get the API permissions, you need to use the command below.
$app = Get-AzureADApplication -ObjectId '<object-id of the App Registration>'
$app.requiredResourceAccess | ConvertTo-Json -Depth 3
The ResourceAppId is the Application ID of the service principal of the API e.g. Microsoft Graph, the ResourceAccess includes the permissions you added to the app, the Scope means the Delegated permission, Role means the Application permission.
My API permissions:
To check the details of the API permissions , you need to use the command below. For example, we want to know the details of the permission whose Id is 5b567255-7703-4780-807c-7be8301ae99b in the screenshot, its Type is Role, so we need to use $sp.AppRoles.
$sp = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq '00000003-0000-0000-c000-000000000000'}
$sp.AppRoles | Where-Object {$_.Id -eq '5b567255-7703-4780-807c-7be8301ae99b'}
If you want to get the Delegated permission(Type is Scope), we need to use:
$sp = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq '00000003-0000-0000-c000-000000000000'}
$sp.Oauth2Permissions | Where-Object {$_.Id -eq 'e1fe6dd8-ba31-4d61-89e7-88639da4683d'}
To check Status, there is no direct way, you need to check the permissions granted by the admin of the service principal corresponds to the AD App in your AAD tenant.
First, get the service principal $appsp:
$app = Get-AzureADApplication -ObjectId '<object-id of the App Registration>'
$appsp = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $app.AppId}
Get the Delegated permissions which has been granted(Status is Granted):
Get-AzureADServicePrincipalOAuth2PermissionGrant -ObjectId $appsp.ObjectId -All $true | ConvertTo-Json
The ResourceId is the Object Id of the service principal of the API:
Get the Application permissions which has been granted(Status is Granted):
Get-AzureADServiceAppRoleAssignedTo -ObjectId $appsp.ObjectId | ConvertTo-Json
The Id is the Id in the ResourceAccess in the first screenshot.
If the permission has not been granted(Status is Not Granted), you will not get the permission with the command above.
For example, I add a new Application permission in the portal, then run the command again, we can still get the permission which has been granted.
Looking after a new Solution using the 7.1 PowerShell and Az Client I've wrote follwing Script to solve this Issue:
# loop in all Applications then every Application Loop this one to
$sp = $sp = az ad app list --display-name "yourapplication"
$spIdList = ($sp |ConvertFrom-Json -AsHashtable).requiredResourceAccess.resourceAccess
# retreive the ID from Bucket
$RoleAppID = ($sp| ConvertFrom-Json ).requiredResourceAccess.resourceAppId
## receive all Roles and lookup inside
$appRolesArray = (az ad sp show --id $RoleAppID | ConvertFrom-Json -AsHashtable ).appRoles
$listRoles = #()
foreach ($itemSpId in $spIdList) {
$itemSpId.id
foreach($item in $appRolesArray ) {
if ( $item.id -eq $itemSpId.id ){
$listRoles += $item
$item
}
}
}
$listRoles.count
now you can do whatever you want with the List of those objects.
The Goal was to use the "az client"
Related
I am preparing the report which contains all the users access level tenant wise from the azure.
is there any one command or script to get all the users access level from Azure tenant ?
That is a little be trick: The PS library for Azure is different from the PS library for the AD. You must cross informations.
You must get all users from you AD using the command above and save as variable
$allUsers = Get-ADUsers -Filter *
Now you can navigate to all subscriptions into your tenant, all resource groups and resources and for each and every one get the IAM (who came with the objectId of the user) and cross with the variable $allUsers to identify everyone.
The sample is not the best but maybe can help you:
Connect-AzAccount
$listIAM = New-Object System.Collections.ArrayList
$listSubscriptions = Get-AzSubscription
foreach($subscription in $listSubscriptions){
Set-AzContext -SubscriptionId $subscription.SubscriptionId
# Now you have all roleAssignements for this subscription
$subscriptionIAM = Get-AzRoleAssignment -Scope /subscriptions/$subscription.SubscriptionId
$listIAM.Add($subscriptionIAM) | Out-Null
# Navigate into resource groups
$listResourceGroups = Get-AzResourceGroup
foreach($resourceGroup in $listResourceGroups){
$rgIAM = Get-AzRoleAssignment -ResourceGroupName $resourceGroup.ResourceGroupName
$listIAM.Add($rgIAM) | Out-Null
# Navigate into resources
$listResources = Get-AzResource -ResourceGroupName $resourceGroup
foreach($resource in $listResources){
$rIAM = Get-AzRoleAssignment -Scope $resouce.ResourceId
$listIAM.Add($rIAM) | Out-Null
}
}
}
You can do this in either PowerShell or the Graph API. Both methods are in preview (the graph API calls are under the beta branch).
#Get the user
$userId = (Get-AzureADUser -Filter "userPrincipalName eq 'alice#contoso.com'").ObjectId
#Get direct role assignments to the user
$directRoles = (Get-AzureADMSRoleAssignment -Filter "principalId eq '$userId'").RoleDefinitionId
Prerequisites
AzureADPreview module when using PowerShell
Microsoft.Graph module when using PowerShell
Admin consent when using Graph Explorer for Microsoft Graph API
https://learn.microsoft.com/en-us/azure/active-directory/roles/list-role-assignments-users
I have Azure AD App role assignments to groups in an environment that I can only access using Powershell. To get the AD APP roles assigned to a particular AD Group, I used the command Get-AzureADGroupAppRoleAssignment -ObjectId XXXX-XXX... where the objectId here is the group object id, which works, but the problem is that the output of the command shows only the objectId of the App role, and that objectId isn't for some reason a valid GUID, which makes me unable to use it to query the name of the app role.
Please see below snapshot
To query the name of the app role, you could use the command below.
$rs = Get-AzureADGroupAppRoleAssignment -ObjectId <object-id>
foreach($r in $rs){
$app = Get-AzureADServicePrincipal -ObjectId $r.ResourceId
$DisplayName = ($app.AppRoles | Where-Object {$_.Id -eq $r.Id}).DisplayName
Write-Host $DisplayName of $app.AppDisplayName
}
Its simple, you need to filter your app role with the display name in Get-AzureADGroup and pass it to Get-AzureADGroupAppRoleAssignment
$GroupId = (Get-AzureADGroup -Filter "DisplayName eq 'displayname'" -top 1).objectid
Get-AzureADGroupAppRoleAssignment -ObjectId $GroupId
I need the Tenant admins information to work on a migration project, Is there any way to fetch the admin information by Tenant ID? thanks.
You can try Azure AD powershell module:
Install-Module AzureAD
Connect-AzureAD
Get-AzureADDirectoryRoleMember -ObjectId "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
More info:
https://learn.microsoft.com/en-us/powershell/module/azuread/get-azureaddirectoryrolemember?view=azureadps-2.0
You could use the following code to get directory role by name like Application Administrator.
Connect-AzureAD
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Application Administrator'}
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId
And you could use Get-AzureADDirectoryRole to get all directory roles.
I am trying to enable users logging in through Azure device code flow for a public Azure AD App.
I think the exception I am getting is quite straight-forward:
In my Azure AD Portal there is no option for adding Users/Groups (Azure AD->Enterprise Applications) unlike the Web apps however there is an option to enable User Assignment(which is what I want to achieve) which makes it more weird because it says If this option is set to yes, then users must first be assigned to this application before being able to access it.
How to assign users to the application if there is no option to do it from the AD portal? [ Azure documentation here ]
There are two options:
1.Navigate to the app registration in the portal -> Authentication -> set the Treat application as a public client to No -> go to the corresponding enterprise application -> Users and groups -> add the user -> go back to set the Treat application as a public client to Yes.
2.You can use the azure powershell New-AzureADUserAppRoleAssignment to add the user directly.
Assign a user to an application without roles:
New-AzureADUserAppRoleAssignment -ObjectId "<user objectid>" -PrincipalId "<user objectid>" -ResourceId "<service principal objectid(i.e. Enterprise Application objectid)>" -Id ([Guid]::Empty)
Assign a user to a specific app role within an application:
$username = "<You user's UPN>"
$app_name = "<Your App's display name>"
$app_role_name = "<App role display name>"
# Get the user to assign, and the service principal for the app to assign to
$user = Get-AzureADUser -ObjectId "$username"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
#Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
We have two azure resources in the same directory. A webAPI set of APIs behind Azure API Management and an Azure Function. We want the azure function to be able to call the APIs. We've enabled MSI on the azure function as described in How to use managed identities for App Service and Azure Functions. We've created an App Registration in AAD for the API, created a role permission to be accessed. Following Calling your APIs with Azure AD Managed Service Identity using application permissions we run into errors attempting to assign the permission/role to the azure function:
in powershell:
New-AzureADServiceAppRoleAssignment -ObjectId 8XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -Id 3XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -PrincipalId 8XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX -ResourceId 9XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
New-AzureADServiceAppRoleAssignment : Error occurred while executing NewServicePrincipalAppRoleAssignment
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At line:1 char:1
+ New-AzureADServiceAppRoleAssignment -ObjectId 8XXXXXX-XXXX-XXXX-XXXX ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [New-AzureADServiceAppRoleAssignment], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewServ
icePrincipalAppRoleAssignment
is giving us a permission error, even when an AAD Admin (member of AAD DC Administrators I think) runs it. Has anyone run into this before? Why is this throwing a permissions error? We have verified that the ids are correct with 3 different people.
The problem you're probably facing is that, despite naming your app registration the same thing as your MSI-enabled app, the two end up representing different service principals in AAD. Using app registrations with MSI isn't currently supported.
Try running the powershell commands using the object id of the MSI identity instead. I was able to get this to work, and granted my MSI-enabled app access to the Graph Api.
Here is the PS I used to assign the GraphApi roles my function app required:
$functionAppName = "My-FANCY-FUNC"
$context = Get-AzureRmContext -ErrorAction SilentlyContinue #this lets you search AAD for func
if(!$context){
$login = Connect-AzureRmAccount | Out-Null
Connect-AzureAD #needed this for Graph API
$context = $login
} else { Write-Host "Login session already established for " $context.Subscription.SubscriptionName }
#get the SP associated with the MSI
$MSIPrincipal = Get-AzureRmADServicePrincipal -SearchString $functionAppName | Where-Object DisplayName -eq $functionAppName
#get the SP associatesd with the MS Graph
$graph = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -match "Microsoft Graph" }
#find the target app roles in the graph
$targetRoles = $graph.AppRoles | Where-Object Value -in "Group.ReadWrite.All", "Directory.ReadWrite.All"
#iterate throgh the known roles and add the MSI SP to them
$targetRoles | ForEach-Object {New-AzureADServiceAppRoleAssignment -Id $_.Id -PrincipalId $MSIPrincipal.Id -ObjectId $MSIPrincipal.Id -ResourceId $graph.ObjectId}
I suspect, based on your question, that this line will return more than one entity:
Get-AzureRmADServicePrincipal -SearchString $functionAppName | Where-Object DisplayName -eq $functionAppName
Deleting your extraneous app registration should clear that up