cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using PowerShell in Azure Active Directory to inspect App Service Principals!

TomWechsler
MVP

‎Aug 11 2021 06:24 AM

‎Aug 11 2021 06:24 AM

Using PowerShell in Azure Active Directory to inspect App Service Principals!

 

Hi Azure friends,

 

In this article I would like to share with you some experiences I have made with Azure Active Directory App Service Principals. Really nothing spectacular but I didn't want to keep it from you.

 

I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments):

 

#The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE

Set-Location C:\Temp
Clear-Host

#We need the cmdlets
Install-Module -Name AzureAD -AllowClobber -Force -Verbose

 

#Sometimes the module must be imported
Import-Module AzureAD

 

#Lets connect to the Azure Active Directory
Connect-AzureAD

 

#Get a List of the apps
Get-AzureADApplication

 

#A bit more info
Get-AzureADApplication -Filter "DisplayName eq 'twdemoapp'" | Format-List *

 

#Let's create a variable
$sp = Get-AzureADServicePrincipal -Filter "displayName eq 'twdemoapp'"
$sp.ObjectId

 

#Azure AD App role assignments using objectId of the Service Principal
$assignments = Get-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -All $true

 

#Remove all users and groups assigned to the application
$assignments | ForEach-Object {
if ($_.PrincipalType -eq "User") {
Remove-AzureADUserAppRoleAssignment -ObjectId $_.PrincipalId -AppRoleAssignmentId $_.ObjectId
} elseif ($_.PrincipalType -eq "Group") {
Remove-AzureADGroupAppRoleAssignment -ObjectId $_.PrincipalId -AppRoleAssignmentId $_.ObjectId
}
}

 

#Get Azure AD App role assignments again
$assignments = Get-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -All $true | Where-Object {$_.PrincipalType -eq "User"}

 

#Let's check
$assignments

 

#Delegated permissions for the service principal
$spOAuth2PermissionsGrants = Get-AzureADOAuth2PermissionGrant -All $true| Where-Object { $_.clientId -eq $sp.ObjectId }

 

#Remove all delegated permissions
$spOAuth2PermissionsGrants | ForEach-Object {
Remove-AzureADOAuth2PermissionGrant -ObjectId $_.ObjectId
}

 

#All delegated permissions again
$spOAuth2PermissionsGrants = Get-AzureADOAuth2PermissionGrant -All $true| Where-Object { $_.clientId -eq $sp.ObjectId }

 

#Let's check
$spOAuth2PermissionsGrants

 

#Application permissions for the service principal
$spApplicationPermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId $sp.ObjectId -All $true | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }

 

#Remove all delegated permissions
$spApplicationPermissions | ForEach-Object {
Remove-AzureADServiceAppRoleAssignment -ObjectId $_.PrincipalId -AppRoleAssignmentId $_.objectId
}

 

#Application permissions again
$spApplicationPermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId $sp.ObjectId -All $true | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }

 

#Let's check
$spApplicationPermissions

 

These were a few tasks using PowerShell in Azure Active Directory!

 

I hope this article was useful. Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

 

Labels:
1,862 Views
0 Likes
0 Replies
Reply
0 Replies