Reputation: 203
Get list of apps or permissions for a user in Office 365
Requirement: I want to get the list of all apps ( Microsoft or third party applications ) that a particular O365 user has installed or has given some permissions to. I would like to fetch all the permissions/scopes that the particular app asks for.
Google provides an API to do the similar functionality using the /users/xxx/tokens API - https://developers.google.com/admin-sdk/directory/v1/reference/tokens/list
Is there any similar API for MSGraph or Azure AD for Office 365 users to get their list of apps and related permissions
Upvotes: 2
Views: 4129
Answers (2)
Reputation: 203
Found a way to do this -
First get all the oauth2PermissionGrants objects provided by a user to any of the applications. Use the following API to do this - https://graph.windows.net/{tenantDomain}/users/{userID}/oauth2PermissionGrants?api-version=1.6
Then use the clientID mentioned in the repsonse to get the details for the application
https://graph.windows.net/{tenantDomain}/servicePrincipals/{clientID}?api-version=1.6
Upvotes: 2
Reputation: 15
Based on the information found here: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-apps-permissions-consent
You can use Get-AzureADUserOAuth2PermissionGrant to see a list of all applications a user has granted access to along with the permission scopes, then use Get-AzureADServicePrincipal to find the name of the application. Here's an example searching based on the user's UPN.
Load all granted applications for a user.
$grants = Get-AzureADUser -SearchString [email protected] | Get-AzureADUserOAuth2PermissionGrant
Get the name of an application from the list above
Get-AzureADServicePrincipal -ObjectId $grants[0].ClientId
Example
$grants = Get-AzureADUser -SearchString [email protected] | Get-AzureADUserOAuth2PermissionGrant
> $grants[5] | fl
ClientId : <snip>
ConsentType : Principal
ExpiryTime : 4/27/2016 11:15:39 AM
ObjectId : <snip>
PrincipalId : <snip>
ResourceId : <snip>
Scope : User.Read user_impersonation
StartTime : 1/1/0001 12:00:00 AM
>
> Get-AzureADServicePrincipal -ObjectId $grants[5].ClientId
ObjectId AppId DisplayName
-------- ----- -----------
<snip> <snip> ExampleAppName
Upvotes: 1
Related Questions
- Query for specific Azure AD permission
- Using Microsoft.Graph to get current application permissions
- get appRoleAssignment permission description from REST API
- Get App Roles for user limited to the requesting app
- Using Microsoft Graph API to find all Applications with Admin Consent Granted
- How do I retrieve what application/servicePrincipal a user is allowed access to from AzureAD Graph API?
- Getting azure ad users list for specific application with graph api
- Microsoft Graph Api List ownedObjects - applications
- How to retrieve application permissions for personal Microsoft Account in Microsoft Graph API
- How to list all appRoleAssignments in Microsoft Graph API or Azure AD Graph API