powershellmicrosoft-graph-apiazure-service-principal
Get Claim Value/AppRole Name from AppRoleId for Service Principals (Powershell)
I'm trying to get all app role assignments for all service principals.
I use the following command to get the app role assignments per service principal.
Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId <id>
That returns:
AppRoleId : df021288-bdef-4463-88db-98f22de89214
CreatedDateTime : 2022-11-24 08:32:38
DeletedDateTime :
Id : <Id>
PrincipalDisplayName : <PrincipalDisplayName>
PrincipalId : <PrincipalId>
PrincipalType : ServicePrincipal
ResourceDisplayName : Microsoft Graph
ResourceId : <ResourceId>
AdditionalProperties : {}
I get everything I need but the claim value/app role name. In this case it's 'User.Read.All'.
Is there a way to get/lookup these names for the Microsofts API's that you can assign permissions for in Azure portal using preferably Powershell? Those would be GraphAPI, Office 365 Management APIs, etc.
Solution
To fetch all the app roles assigned to all the service principals you can use the script below:
Script:
Connect-MgGraph -Scopes "Application.Read.All"
$Apps = Get-MgApplication
$ServicePrincipals = Get-MgServicePrincipal -All
$RolesList = @()
foreach ($sp in $ServicePrincipals) {
$RolesList += $sp.AppRoles
}
$Data = @()
foreach ($App in $Apps) {
foreach ($Access in $App.RequiredResourceAccess) {
foreach ($Permission in $Access.ResourceAccess) {
$PermissionName = $null
if ($Permission.Type -eq 'Role') {
$PermissionName = ($RolesList | Where-Object { $_.Id -eq $Permission.Id }).Value
}
if ($PermissionName) {
$Data += [PSCustomObject]@{
'Application Display Name' = $App.DisplayName
'Permission Type' = $Permission.Type
'Permission Value' = $PermissionName
}
}
}
}
}
$Data | Format-Table -AutoSize
Output:
