junecastillote/Get-AppsWithDelegatedSpoExoScope.ps1

## README.md

      
    Raw
  

              README.md
            
          
    Get-AppsWithDelegatedSpoExoScope.ps1

This script was created for a specific use-case. It retrieves the Azure AD enterprise applications with delegated Exchange Online and SharePoint Online app permissions.
Prerequisites


Microsoft Graph PowerShell SDK installed


Connected to Microsoft Graph PowerShell with Directory.Read.All and Application.Read.All scopes.
  Connect-MgGraph -TenantId TENANT.onmicrosoft.com -Scopes Directory.Read.All,Application.Read.All


Example 1: Get All Enterprise App Service Principals with EXO and SPO Delegated Permissions


Run the script. This example stores the output to the delegated_scopes variable.
.\Get-AppsWithDelegatedSpoExoScope.ps1 -OutVariable delegated_scopes


Export to CSV. This example exports the result to .\delegated_scopes.csv.
$delegated_scopes | Export-Csv -NoTypeInformation -Path .\delegated_scopes.csv


Example 2: Get a Specific Enterprise App Service Principals with EXO and SPO Delegated Permissions by Service Principal Id

.\Get-AppsWithDelegatedSpoExoScope.ps1 -ServicePrincipalId 055a453a-4cd4-4c6a-8049-6b9b9a502d99

Example 3: Get a Specific Enterprise App Service Principals with EXO and SPO Delegated Permissions by Display Name

.\Get-AppsWithDelegatedSpoExoScope.ps1 -DisplayName MailboxQuotaStatus


## Get-AppsWithDelegatedSpoExoScope.ps1
[CmdletBinding(DefaultParameterSetName = 'Default')]
param (
    [Parameter(ParameterSetName = 'ByServicePrincipalId')]
    [ValidateNotNullOrEmpty()]
    [string]
    $ServicePrincipalId,

    [Parameter(ParameterSetName = 'ByDisplayName')]
    [ValidateNotNullOrEmpty()]
    [string]
    $DisplayName,

    [Parameter(ParameterSetName = 'Default')]
    [switch]
    $All
)

# Get the EXO and SPO service principal ID
$exo_resource_id = (Get-MgServicePrincipal -Filter "DisplayName eq 'Office 365 Exchange Online'").Id
$spo_resource_id = (Get-MgServicePrincipal -Filter "DisplayName eq 'Office 365 SharePoint Online'").Id

switch ($PSCmdlet.ParameterSetName) {
    ByServicePrincipalId { # Get specific service pricipal object by ID
        try {
            $all_sp = @(Get-MgServicePrincipal -ServicePrincipalId $ServicePrincipalId -ErrorAction Stop)
        }
        catch {
            Write-Error $_.Exception.Message
            return $null
        }
    }
    ByDisplayName { # Get specific service pricipal object by displayname
        try {
            $all_sp = @(Get-MgServicePrincipal -Filter "DisplayName eq '$($DisplayName)'" -ErrorAction Stop)
        }
        catch {
            Write-Error $_.Exception.Message
            return $null
        }
    }
    Default { # Get all service principal objects
        $all_sp = @(Get-MgServicePrincipal -All)
    }
}

if ($all_sp.Count -lt 1) {
    return $null
}

$total = $all_sp.Count

for ($i = 0 ; $i -lt $total ; $i++) {
    # Calculate the percentage completed
    $percentComplete = [math]::Round(($i / $total) * 100, 2)

    # Display the progress bar
    Write-Progress -Activity "Processing Service Principals [$($i+1) / $total]" `
        -Status "Processing: $($all_sp[$i].DisplayName)" `
        -PercentComplete $percentComplete

    # Get the delegated permissions
    $delegated_permisions = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $all_sp[$i].Id

    # Filter permissions for Exchange and SharePoint Online
    $exo_permissions = ($delegated_permisions | Where-Object { $_.ResourceId -eq $exo_resource_id } | Select-Object -Unique Scope).Scope -join "," -replace " ", ","
    $spo_permissions = ($delegated_permisions | Where-Object { $_.ResourceId -eq $spo_resource_id } | Select-Object -Unique Scope).Scope -join "," -replace " ", ","

    # If either Exchange Online or SharePoint Online permissions are found, create the custom object
    if ($exo_permissions -or $spo_permissions) {
        [PSCustomObject]@{
            DisplayName                          = $all_sp[$i].DisplayName
            Id                                   = $all_sp[$i].Id
            SignInAudience                       = $all_sp[$i].SignInAudience
            ServicePrincipalType                 = $all_sp[$i].ServicePrincipalType
            ExchangeOnlineDelegatedPermissions   = $(if ($exo_permissions) { $exo_permissions } else { 'None' })
            SharePointOnlineDelegatedPermissions = $(if ($spo_permissions) { $spo_permissions } else { 'None' })
        }
    }
}
	[CmdletBinding(DefaultParameterSetName = 'Default')]
	param (
	[Parameter(ParameterSetName = 'ByServicePrincipalId')]
	[ValidateNotNullOrEmpty()]
	[string]
	$ServicePrincipalId,

	[Parameter(ParameterSetName = 'ByDisplayName')]
	[ValidateNotNullOrEmpty()]
	[string]
	$DisplayName,

	[Parameter(ParameterSetName = 'Default')]
	[switch]
	$All
	)

	# Get the EXO and SPO service principal ID
	$exo_resource_id = (Get-MgServicePrincipal -Filter "DisplayName eq 'Office 365 Exchange Online'").Id
	$spo_resource_id = (Get-MgServicePrincipal -Filter "DisplayName eq 'Office 365 SharePoint Online'").Id

	switch ($PSCmdlet.ParameterSetName) {
	ByServicePrincipalId { # Get specific service pricipal object by ID
	try {
	$all_sp = @(Get-MgServicePrincipal -ServicePrincipalId $ServicePrincipalId -ErrorAction Stop)
	}
	catch {
	Write-Error $_.Exception.Message
	return $null
	}
	}
	ByDisplayName { # Get specific service pricipal object by displayname
	try {
	$all_sp = @(Get-MgServicePrincipal -Filter "DisplayName eq '$($DisplayName)'" -ErrorAction Stop)
	}
	catch {
	Write-Error $_.Exception.Message
	return $null
	}
	}
	Default { # Get all service principal objects
	$all_sp = @(Get-MgServicePrincipal -All)
	}
	}

	if ($all_sp.Count -lt 1) {
	return $null
	}

	$total = $all_sp.Count

	for ($i = 0 ; $i -lt $total ; $i++) {
	# Calculate the percentage completed
	$percentComplete = [math]::Round(($i / $total) * 100, 2)

	# Display the progress bar
	Write-Progress -Activity "Processing Service Principals [$($i+1) / $total]" `
	-Status "Processing: $($all_sp[$i].DisplayName)" `
	-PercentComplete $percentComplete

	# Get the delegated permissions
	$delegated_permisions = Get-MgServicePrincipalOauth2PermissionGrant -ServicePrincipalId $all_sp[$i].Id

	# Filter permissions for Exchange and SharePoint Online
	$exo_permissions = ($delegated_permisions \| Where-Object { $_.ResourceId -eq $exo_resource_id } \| Select-Object -Unique Scope).Scope -join "," -replace " ", ","
	$spo_permissions = ($delegated_permisions \| Where-Object { $_.ResourceId -eq $spo_resource_id } \| Select-Object -Unique Scope).Scope -join "," -replace " ", ","

	# If either Exchange Online or SharePoint Online permissions are found, create the custom object
	if ($exo_permissions -or $spo_permissions) {
	[PSCustomObject]@{
	DisplayName = $all_sp[$i].DisplayName
	Id = $all_sp[$i].Id
	SignInAudience = $all_sp[$i].SignInAudience
	ServicePrincipalType = $all_sp[$i].ServicePrincipalType
	ExchangeOnlineDelegatedPermissions = $(if ($exo_permissions) { $exo_permissions } else { 'None' })
	SharePointOnlineDelegatedPermissions = $(if ($spo_permissions) { $spo_permissions } else { 'None' })
	}
	}
	}
No results found