Reputation: 680
Retrieve "API Permissions" of Azure AD Application via PowerShell
For reporting and monitoring purpose do I like to retrieve the information shown in the Azure portal for an application (App Registration) for "API permissions".
I have tried the following code
$app = Get-AzureADApplication -ObjectId 'aa7e174d-2639-4ac7-9b11-6799466c3c9b'
$app.Oauth2Permissions
But this yields only the following information:
AdminConsentDescription : Allow the application to access foobar_HVV on behalf of the signed-in user.
AdminConsentDisplayName : Access foobar_HVV
Id : h1285f9d5-b00d-4bdb-979d-c4d6487fa000
IsEnabled : True
Type : User
UserConsentDescription : Allow the application to access foobar_HVV on your behalf.
UserConsentDisplayName : Access foobar_HVV
Value : user_impersonation
But "API Permissions" for the application "foobar_HVV" shows totally different permissions. Especially the "Typ" (Delegate, Application) and the "Status" per permission are needed for my report.
Upvotes: 3
Views: 16952
Answers (2)
Reputation: 86
Looking after a new Solution using the 7.1 PowerShell and Az Client I've wrote follwing Script to solve this Issue:
# loop in all Applications then every Application Loop this one to
$sp = $sp = az ad app list --display-name "yourapplication"
$spIdList = ($sp |ConvertFrom-Json -AsHashtable).requiredResourceAccess.resourceAccess
# retreive the ID from Bucket
$RoleAppID = ($sp| ConvertFrom-Json ).requiredResourceAccess.resourceAppId
## receive all Roles and lookup inside
$appRolesArray = (az ad sp show --id $RoleAppID | ConvertFrom-Json -AsHashtable ).appRoles
$listRoles = @()
foreach ($itemSpId in $spIdList) {
$itemSpId.id
foreach($item in $appRolesArray ) {
if ( $item.id -eq $itemSpId.id ){
$listRoles += $item
$item
}
}
}
$listRoles.count
now you can do whatever you want with the List of those objects.
The Goal was to use the "az client"
Upvotes: 0
Reputation: 42163
If you want to get the API permissions, you need to use the command below.
$app = Get-AzureADApplication -ObjectId '<object-id of the App Registration>'
$app.requiredResourceAccess | ConvertTo-Json -Depth 3
The ResourceAppId is the Application ID of the service principal of the API e.g. Microsoft Graph, the ResourceAccess includes the permissions you added to the app, the Scope means the Delegated permission, Role means the Application permission.
My API permissions:
To check the details of the API permissions , you need to use the command below. For example, we want to know the details of the permission whose Id is 5b567255-7703-4780-807c-7be8301ae99b in the screenshot, its Type is Role, so we need to use $sp.AppRoles.
$sp = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq '00000003-0000-0000-c000-000000000000'}
$sp.AppRoles | Where-Object {$_.Id -eq '5b567255-7703-4780-807c-7be8301ae99b'}
If you want to get the Delegated permission(Type is Scope), we need to use:
$sp = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq '00000003-0000-0000-c000-000000000000'}
$sp.Oauth2Permissions | Where-Object {$_.Id -eq 'e1fe6dd8-ba31-4d61-89e7-88639da4683d'}
To check Status, there is no direct way, you need to check the permissions granted by the admin of the service principal corresponds to the AD App in your AAD tenant.
First, get the service principal $appsp:
$app = Get-AzureADApplication -ObjectId '<object-id of the App Registration>'
$appsp = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $app.AppId}
Get the Delegated permissions which has been granted(Status is Granted):
Get-AzureADServicePrincipalOAuth2PermissionGrant -ObjectId $appsp.ObjectId -All $true | ConvertTo-Json
The ResourceId is the Object Id of the service principal of the API:
Get the Application permissions which has been granted(Status is Granted):
Get-AzureADServiceAppRoleAssignedTo -ObjectId $appsp.ObjectId | ConvertTo-Json
The Id is the Id in the ResourceAccess in the first screenshot.
If the permission has not been granted(Status is Not Granted), you will not get the permission with the command above.
For example, I add a new Application permission in the portal, then run the command again, we can still get the permission which has been granted.
Upvotes: 14
Related Questions
- How to Add Api Permissions to an Azure App Registration using PowerShell
- How to export delegated permissions assigned to azure app registration using azure-AD module via PowerShell
- Why when I upload an Api permission via Powershell to AzureAd I get only the Id?
- get appRoleAssignment permission description from REST API
- Azure AD App API Permissions - Where to get the id of the permission being granted
- How to determine which API Permissions are necessary to run a particular Azure PowerShell command?
- API Permission in AZURE AD (version july 19)
- Azure - how to find permissions at a subscription level?
- How to get permissions in Azure Active Directory Application?
- Retrieve application permissions of a service principal using the AzureAD module