Search code examples
azurepowershellazure-powershellazure-service-principal

How to list Service principal permissions using powershell

I have to list out the permissions given to a service principal using powershell. Get-AzAdDServicePrincipal cmdlet not giving full details. Can anyone help? I need the permissions list with claim value and type like in below image enter image description here

Solution

  • I am using the AzureAD module for tasks like this one (https://learn.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0).

    Application permissions

    With the cmdlet Get-AzureADServiceAppRoleAssignedTo you can list the application permissions given to your service principal:

    $rolesAssigned = Get-AzureADServiceAppRoleAssignedTo -ObjectId 'OBJECTIDOFYOURSERVICEPRINCIPAL'
$rolesAssigned | Select-Object -Property *

    This command returns only the ResourceDisplayName (in your screenshot Microsoft Graph), ResourceId (the ObjectId of the Microsoft Graph app) and the Id of the permission.

    If you want to get the permission name and description you can get them with the cmdlet Get-AzureADServicePrincipal:

    foreach ($role in $rolesAssigned) {
   $servicePrincipal = Get-AzureADServicePrincipal -ObjectId $role.ResourceId

   $servicePrincipal.AppRoles | Where-Object { $_.Id -like $role.Id }
}

    This will loop through every permission and print out the name, description and other properties.

    Delegated permissions

    For getting delegated permissions of a service principal you can use the Get-AzureADOAuth2PermissionGrant cmdlet:

    $spDelegatedPermissions = Get-AzureADOAuth2PermissionGrant | Where-Object { $_.ClientId -eq 'OBJECTIDOFYOURSERVICEPRINCIPAL' }
$spDelegatedPermissions | Select-Object -Property *