Using PowerShell in Azure Active Directory to inspect App Service Principals!

%3CLINGO-SUB%20id%3D%22lingo-sub-2636266%22%20slang%3D%22en-US%22%3EUsing%20PowerShell%20in%20Azure%20Active%20Directory%20to%20inspect%20App%20Service%20Principals!%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2636266%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHi%20Azure%20friends%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20this%20article%20I%20would%20like%20to%20share%20with%20you%20some%20experiences%20I%20have%20made%20with%20Azure%20Active%20Directory%20App%20Service%20Principals.%20Really%20nothing%20spectacular%20but%20I%20didn't%20want%20to%20keep%20it%20from%20you.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20used%20the%20PowerShell%20ISE%20for%20this%20configuration.%20But%20you%20are%20also%20very%20welcome%20to%20use%20Visual%20Studio%20Code%2C%20just%20as%20you%20wish.%20Please%20start%20with%20the%20following%20steps%20to%20begin%20the%20deployment%20(the%20Hashtags%20are%20comments)%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23The%20first%20two%20lines%20have%20nothing%20to%20do%20with%20the%20configuration%2C%20but%20make%20some%20space%20below%20in%20the%20blue%20part%20of%20the%20ISE%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ESet-Location%20C%3A%5CTemp%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3EClear-Host%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%23We%20need%20the%20cmdlets%3CBR%20%2F%3E%3CSTRONG%3EInstall-Module%20-Name%20AzureAD%20-AllowClobber%20-Force%20-Verbose%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Sometimes%20the%20module%20must%20be%20imported%3CBR%20%2F%3E%3CSTRONG%3EImport-Module%20AzureAD%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Lets%20connect%20to%20the%20Azure%20Active%20Directory%3CBR%20%2F%3E%3CSTRONG%3EConnect-AzureAD%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Get%20a%20List%20of%20the%20apps%3CBR%20%2F%3E%3CSTRONG%3EGet-AzureADApplication%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23A%20bit%20more%20info%3CBR%20%2F%3E%3CSTRONG%3EGet-AzureADApplication%20-Filter%20%22DisplayName%20eq%20'twdemoapp'%22%20%7C%20Format-List%20*%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Let's%20create%20a%20variable%3CBR%20%2F%3E%3CSTRONG%3E%24sp%20%3D%20Get-AzureADServicePrincipal%20-Filter%20%22displayName%20eq%20'twdemoapp'%22%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%24sp.ObjectId%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Azure%20AD%20App%20role%20assignments%20using%20objectId%20of%20the%20Service%20Principal%3CBR%20%2F%3E%3CSTRONG%3E%24assignments%20%3D%20Get-AzureADServiceAppRoleAssignment%20-ObjectId%20%24sp.ObjectId%20-All%20%24true%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Remove%20all%20users%20and%20groups%20assigned%20to%20the%20application%3CBR%20%2F%3E%3CSTRONG%3E%24assignments%20%7C%20ForEach-Object%20%7B%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3Eif%20(%24_.PrincipalType%20-eq%20%22User%22)%20%7B%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3ERemove-AzureADUserAppRoleAssignment%20-ObjectId%20%24_.PrincipalId%20-AppRoleAssignmentId%20%24_.ObjectId%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7D%20elseif%20(%24_.PrincipalType%20-eq%20%22Group%22)%20%7B%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3ERemove-AzureADGroupAppRoleAssignment%20-ObjectId%20%24_.PrincipalId%20-AppRoleAssignmentId%20%24_.ObjectId%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7D%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7D%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Get%20Azure%20AD%20App%20role%20assignments%20again%3CBR%20%2F%3E%3CSTRONG%3E%24assignments%20%3D%20Get-AzureADServiceAppRoleAssignment%20-ObjectId%20%24sp.ObjectId%20-All%20%24true%20%7C%20Where-Object%20%7B%24_.PrincipalType%20-eq%20%22User%22%7D%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Let's%20check%3CBR%20%2F%3E%3CSTRONG%3E%24assignments%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Delegated%20permissions%20for%20the%20service%20principal%3CBR%20%2F%3E%3CSTRONG%3E%24spOAuth2PermissionsGrants%20%3D%20Get-AzureADOAuth2PermissionGrant%20-All%20%24true%7C%20Where-Object%20%7B%20%24_.clientId%20-eq%20%24sp.ObjectId%20%7D%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Remove%20all%20delegated%20permissions%3CBR%20%2F%3E%3CSTRONG%3E%24spOAuth2PermissionsGrants%20%7C%20ForEach-Object%20%7B%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3ERemove-AzureADOAuth2PermissionGrant%20-ObjectId%20%24_.ObjectId%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7D%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23All%20delegated%20permissions%20again%3CBR%20%2F%3E%3CSTRONG%3E%24spOAuth2PermissionsGrants%20%3D%20Get-AzureADOAuth2PermissionGrant%20-All%20%24true%7C%20Where-Object%20%7B%20%24_.clientId%20-eq%20%24sp.ObjectId%20%7D%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Let's%20check%3CBR%20%2F%3E%3CSTRONG%3E%24spOAuth2PermissionsGrants%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Application%20permissions%20for%20the%20service%20principal%3CBR%20%2F%3E%3CSTRONG%3E%24spApplicationPermissions%20%3D%20Get-AzureADServiceAppRoleAssignedTo%20-ObjectId%20%24sp.ObjectId%20-All%20%24true%20%7C%20Where-Object%20%7B%20%24_.PrincipalType%20-eq%20%22ServicePrincipal%22%20%7D%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Remove%20all%20delegated%20permissions%3CBR%20%2F%3E%3CSTRONG%3E%24spApplicationPermissions%20%7C%20ForEach-Object%20%7B%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3ERemove-AzureADServiceAppRoleAssignment%20-ObjectId%20%24_.PrincipalId%20-AppRoleAssignmentId%20%24_.objectId%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CSTRONG%3E%7D%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Application%20permissions%20again%3CBR%20%2F%3E%3CSTRONG%3E%24spApplicationPermissions%20%3D%20Get-AzureADServiceAppRoleAssignedTo%20-ObjectId%20%24sp.ObjectId%20-All%20%24true%20%7C%20Where-Object%20%7B%20%24_.PrincipalType%20-eq%20%22ServicePrincipal%22%20%7D%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%23Let's%20check%3CBR%20%2F%3E%3CSTRONG%3E%24spApplicationPermissions%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThese%20were%20a%20few%20tasks%20using%20PowerShell%20in%20Azure%20Active%20Directory!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20hope%20this%20article%20was%20useful.%20Best%20regards%2C%20Tom%20Wechsler%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EP.S.%20All%20scripts%20(%23PowerShell%2C%20Azure%20CLI%2C%20%23Terraform%2C%20%23ARM)%20that%20I%20use%20can%20be%20found%20on%20github!%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Ftomwechsler%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Ftomwechsler%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2636266%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWeb%20Apps%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
MVP

 

Hi Azure friends,

 

In this article I would like to share with you some experiences I have made with Azure Active Directory App Service Principals. Really nothing spectacular but I didn't want to keep it from you.

 

I used the PowerShell ISE for this configuration. But you are also very welcome to use Visual Studio Code, just as you wish. Please start with the following steps to begin the deployment (the Hashtags are comments):

 

#The first two lines have nothing to do with the configuration, but make some space below in the blue part of the ISE

Set-Location C:\Temp
Clear-Host

#We need the cmdlets
Install-Module -Name AzureAD -AllowClobber -Force -Verbose

 

#Sometimes the module must be imported
Import-Module AzureAD

 

#Lets connect to the Azure Active Directory
Connect-AzureAD

 

#Get a List of the apps
Get-AzureADApplication

 

#A bit more info
Get-AzureADApplication -Filter "DisplayName eq 'twdemoapp'" | Format-List *

 

#Let's create a variable
$sp = Get-AzureADServicePrincipal -Filter "displayName eq 'twdemoapp'"
$sp.ObjectId

 

#Azure AD App role assignments using objectId of the Service Principal
$assignments = Get-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -All $true

 

#Remove all users and groups assigned to the application
$assignments | ForEach-Object {
if ($_.PrincipalType -eq "User") {
Remove-AzureADUserAppRoleAssignment -ObjectId $_.PrincipalId -AppRoleAssignmentId $_.ObjectId
} elseif ($_.PrincipalType -eq "Group") {
Remove-AzureADGroupAppRoleAssignment -ObjectId $_.PrincipalId -AppRoleAssignmentId $_.ObjectId
}
}

 

#Get Azure AD App role assignments again
$assignments = Get-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -All $true | Where-Object {$_.PrincipalType -eq "User"}

 

#Let's check
$assignments

 

#Delegated permissions for the service principal
$spOAuth2PermissionsGrants = Get-AzureADOAuth2PermissionGrant -All $true| Where-Object { $_.clientId -eq $sp.ObjectId }

 

#Remove all delegated permissions
$spOAuth2PermissionsGrants | ForEach-Object {
Remove-AzureADOAuth2PermissionGrant -ObjectId $_.ObjectId
}

 

#All delegated permissions again
$spOAuth2PermissionsGrants = Get-AzureADOAuth2PermissionGrant -All $true| Where-Object { $_.clientId -eq $sp.ObjectId }

 

#Let's check
$spOAuth2PermissionsGrants

 

#Application permissions for the service principal
$spApplicationPermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId $sp.ObjectId -All $true | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }

 

#Remove all delegated permissions
$spApplicationPermissions | ForEach-Object {
Remove-AzureADServiceAppRoleAssignment -ObjectId $_.PrincipalId -AppRoleAssignmentId $_.objectId
}

 

#Application permissions again
$spApplicationPermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId $sp.ObjectId -All $true | Where-Object { $_.PrincipalType -eq "ServicePrincipal" }

 

#Let's check
$spApplicationPermissions

 

These were a few tasks using PowerShell in Azure Active Directory!

 

I hope this article was useful. Best regards, Tom Wechsler

 

P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechsler

 

0 Replies