Coder Social home page Coder Social logo

azureadgraphapps's Introduction

Azure AD Graph

This PowerShell script lists applications in your tenant that use permissions for Azure AD Graph. Azure AD Graph will be retired soon.

If you have applications that use Azure AD Graph permissions and that actively call Azure AD Graph, follow the steps in the App migration planning checklist to migrate your applications using Azure AD Graph to Microsoft Graph.

⚠️ Azure AD Graph is deprecated. To avoid loss of functionality, migrate your applications to Microsoft Graph as soon as possible.

Prerequisites

You will need PowerShell Desktop edition to run this script. If you're on a Mac or if you use Azure Cloud Shell, you can obtain the same list of applications using the Azure portal by following these steps.

⚠️ This script does not capture all instances of Azure AD Graph usage. If you have applications that have been granted permissions or app role assignments using the methods listed below they will not be included in the generated report.

  • App has not been granted delegated permissions for Azure AD Graph, but calls Azure AD Graph (e.g. relying on delegated permissions granted for Microsoft Graph for authorization).
  • App has not been granted app role assignments for Azure AD Graph, but calls Azure AD Graph (e.g. relying on directory role assignments and/or ownership for direct authorization).
  • App has been granted delegated permissions for Azure AD Graph but has already migrated to Microsoft Graph (e.g. relying on delegated permissions granted previously for Azure AD Graph, which are considered granted for Microsoft Graph as well).

Download and save the Get-AzureADGraphApps.ps1 script file to your device.

Note:
This script has a dependency on the Azure AD PowerShell module. When the script is run it will automatically install the dependant module if it is not already installed.

Usage

The command below will create a csv of all the apps in the tenant that rely on the Azure AD Graph.

Connect-AzureAD
.\Get-AzureADGraphApps.ps1 | Export-Csv .\aadgraphapps.csv -NoTypeInformation

FAQs

Q: I use a Mac/Azure Cloud Shell. Can I run this script?

A: No, but you can fetch the same list of applications (that use Azure Active Directory Graph permissions) using the Azure portal by following these steps.

Q: What permission do I need to run this script?

A: This script can be run by any user in the tenant and does not require a privileged Azure AD role.

Q: How long will the script take to complete?

A: The duration depends on the number of service principals in the tenant. A small tenant with less than 1000 service principals will usually complete in a few minutes. Larger tenants can take up to 1-2 hours and very large tenants that have more than 100,000 service principals can take 10-24 hours to run.

Q: Can I use Azure AD Graph permissions to call Microsoft Graph?

A: No, use the corresponding Microsoft Graph permissions. For more information, see Review app registration, permissions, and consent.

Q: Does this script automatically remove my Azure AD Graph permissions in favor of Microsoft Graph permissions?

A: No, this script gives you a list of applications that have Azure AD Graph permissions. You should review these applications, grant them the corresponding Microsoft Graph permissions, migrate their Azure AD Graph API calls to Microsoft Graph, and then remove these Azure AD Graph permissions. Our App migration planning checklist can help you with this process.

Support

Please see SUPPORT.md for support options.

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

azureadgraphapps's People

Contributors

binarywizard904 avatar dhruvchand avatar jeevansd avatar merill avatar microsoftopensource avatar mmacy avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

mmacy rlosier jenstrier andreaslarssonliu catadumitru alphasteff msavage122 jamestran-msft dennisholmer egutierrez-kofax madansr7 mikeblakeuk chrisflotta sanketwagh147 neroxyr pblake71 sdub999 odiwankenobi dodgebox katesjason test-mass-forker-org-1 freistli seanpm2001

azureadgraphapps's Issues

Error: Authentication_Unauthorized / User was not found.

What happened

Executed the script

PS C:\Users\John\AzureADGraphApps> .\Get-AzureADGraphApps.ps1 | Export-Csv .\aadgraphapps.csv -NoTypeInformation

It showed dialog to login with Microsoft account. After logged in successfully, it showed this error:

Get-AzureADServicePrincipal : Error occurred while executing GetServicePrincipals
Code: Authentication_Unauthorized
Message: User was not found.
RequestId: 8768a95b-19d6-4be4-8fdb-62e8db03331d
DateTimeStamp: Fri, 20 Aug 2021 07:43:27 GMT
HttpStatusCode: Forbidden
HttpStatusDescription: Forbidden
HttpResponseStatus: Completed
At C:\Users\John\AzureADGraphApps\Get-AzureADGraphApps.ps1:75 char:26
+     $servicePrincipals = Get-AzureADServicePrincipal -All $true
+                          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-AzureADServicePrincipal], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetServ
   icePrincipal

You cannot call a method on a null-valued expression.
At C:\Users\John\AzureADGraphApps\Get-AzureADGraphApps.ps1:136 char:5
+     $script:ObjectByObjectClassId['ServicePrincipal'].GetEnumerator() ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (:) [], RuntimeException
    + FullyQualifiedErrorId : InvokeMethodOnNull

Environment

PS C:\Users\John\AzureADGraphApps> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.19041.1151
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.1151
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Error when running AzureADGraphApps

Hello,

I have run the script after logging into our AzureAD tenancy but when i do run this i just get errors as shown below.

The command i typed was: Get-AzureADGraphApps.ps1 | Export-Csv .\aadgraphapps.csv -NoTypeInformation

Any ideas why this is failing?

At \Install\Microsoft\Powershell\Get-AzureADGraphApps.ps1:8 char:89 + ... a-color-mode="auto" data-light-theme="light" data-dark-theme="dark" > + ~
Missing file specification after redirection operator.
At \Install\Microsoft\Powershell\Get-AzureADGraphApps.ps1:182 char:19 + Sign up + ~
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double
quotation marks ("&") to pass it as part of a string.
At \Install\Microsoft\Powershell\Get-AzureADGraphApps.ps1:185 char:180 + ... -details-target btn-link d-lg-none mt-1 color-fg-inherit"> <svg aria ... + ~ The '<' operator is reserved for future use.
At \Install\Microsoft\Powershell\Get-AzureADGraphApps.ps1:189 char:16 + + ~
The '<' operator is reserved for future use.
At \Install\Microsoft\Powershell\Get-AzureADGraphApps.ps1:194 char:148 + ... -view-component="true" class="js-details-target btn-link"> <svg aria ... + ~ The '<' operator is reserved for future use.
At \Install\Microsoft\Powershell\Get-AzureADGraphApps.ps1:198 char:16 + + ~
The '<' operator is reserved for future use.
At \Install\Microsoft\Powershell\Get-AzureADGraphApps.ps1:213 char:7 + + ~
The '<' operator is reserved for future use.
At \Install\Microsoft\Powershell\Get-AzureADGraphApps.ps1:218 char:7 + + ~
The '<' operator is reserved for future use.
At \Install\Microsoft\Powershell\Get-AzureADGraphApps.ps1:223 char:7 + + ~
The '<' operator is reserved for future use.
At \Install\Microsoft\Powershell\Get-AzureADGraphApps.ps1:228 char:7 + + ~
The '<' operator is reserved for future use.
Not all parse errors were reported. Correct the reported errors and try again.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : MissingFileSpecification

Is Cloud Shell (Azure Portal PowerShell) supported?

Hello,

I tried to run the script in Cloud Shell and got a bunch of exceptions.

import-Module: /home/jm/tmp/Get-AzureADGraphApps.ps1:23
Line |
23 | Import-Module $m
| ~~~~~~~~~~~~~~~~
| Assembly with same name is already loaded

InvalidOperation: /opt/microsoft/powershell/7/profile.ps1:60
Line |
60 | & ($script:PSCloudShellUtilityModuleInfo){param([string]$Label, [ …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| The expression after '&' in a pipeline element produced an object that was not valid. It must result in a command name, a script block, or a
| CommandInfo object.

InvalidOperation: /opt/microsoft/powershell/7/profile.ps1:174
Line |
174 | $envName = $script:CloudEnvironmentMap[$env:ACC_CLOUD]
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Cannot index into a null array.

Get-AzureADServicePrincipal: /home/jm/tmp/Get-AzureADGraphApps.ps1:75
Line |
75 | $servicePrincipals = Get-AzureADServicePrincipal -All $true
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| You must call the Connect-AzureAD cmdlet before calling any other cmdlets.

InvalidOperation: /home/jm/tmp/Get-AzureADGraphApps.ps1:136
Line |
136 | $script:ObjectByObjectClassId['ServicePrincipal'].GetEnumerator() …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| You cannot call a method on a null-valued expression.

Run script for AzureChinaCloud

I tried to run this script in our organization azure china cloud environment with below change to the script

Connect-AzAccount -Environment AzureChinaCloud
$context=Get-AzContext
Connect-AzureAD -AzureEnvironmentName AzureChinaCloud -TenantId $context.Tenant.TenantId -AccountId $context.Account.Id | Out-Null

but did not get any results even through there are apps using AAD graph api , after checking through UI

below content in csv file. after running script in

Environments Context
System.Collections.Generic.Dictionary`2[System.String,Microsoft.Azure.Commands.Profile.Models.PSAzureEnvironment] Microsoft.Azure.Commands.Profile.Models.Core.PSAzureContext

Worth adding in the application owner where it exists

This could be improved by extracting the owner at lines 105/150

$ownerUPN = (Get-AzureADServicePrincipalOwner -ObjectId $client.ObjectId).UserPrincipalName

and then updating the two New-Object PSObject calls to add
"Owner" = $ownerUPN

CSV file not generated correctly - header mismatch?

If i call as instructed
.\Get-AzureADGraphApps.ps1 | Export-Csv .\aadgraphapps.csv -NoTypeInformation
the output csv does not contain the data i would expect.

Somehow the array generated has two different types of objects. So calling line 0 or 1 has different headers - causing only the first line to go correctly into the csv, with rest of lines being blank as columns have different names

$apps = .\Get-AzureADGraphApps.ps1

$apps[0]
Account      :  <removed>
Environment  : AzureCloud
Tenant       : <removed>
TenantId     : <removed>
TenantDomain : <removed>


$apps[1]
ObjectId       : <removed>
DisplayName    : <removed>
ApplicationId  : <removed>
PermissionType : Delegated-AllPrincipals
Resource       : Windows Azure Active Directory
Permission     : User.Read
MicrosoftApp   : False

To get the right data out i just grabbed from line 1 with
$apps[01..3000] | Export-Csv .\aadgraphapps.csv -NoTypeInformation

Error executing the script in PowerShell Core on Windows

What happened

Executed this command

PS C:\Users\John\AzureADGraphApps> .\Get-AzureADGraphApps.ps1 | Export-Csv .\aadgraphapps.csv -NoTypeInformation

It showed a dialog to log in with Microsoft Account. After logged in successfully, the following error was displayed:

Connect-AzureAD: C:\Users\John\AzureADGraphApps\Get-AzureADGraphApps.ps1:173                                  
Line |                                                                                                                 
  173 |  Connect-AzureAD                                                                                                
      |  ~~~~~~~~~~~~~~~                                                                                                 
      | One or more errors occurred. (Could not load type 'System.Security.Cryptography.SHA256Cng' from                  
      | assembly 'System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'.): Could not            
      | load type 'System.Security.Cryptography.SHA256Cng' from assembly 'System.Core, Version=4.0.0.0,                 
      | Culture=neutral, PublicKeyToken=b77a5c561934e089'.                                                                                                                                                                                       

Connect-AzureAD: C:\Users\John\AzureADGraphApps\Get-AzureADGraphApps.ps1:173                                  
Line |                                                                                                                 
 173 |  Connect-AzureAD                                                                                                 
        |  ~~~~~~~~~~~~~~~                                                                                               
        | One or more errors occurred. (Could not load type 'System.Security.Cryptography.SHA256Cng' from                  
        | assembly 'System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'.)                                                                                                                                              

Connect-AzureAD: C:\Users\John\AzureADGraphApps\Get-AzureADGraphApps.ps1:173                                  
Line |                                                                                                                  
 173 |  Connect-AzureAD                                                                                                  
        |  ~~~~~~~~~~~~~~~                                                                                                
        | Could not load type 'System.Security.Cryptography.SHA256Cng' from assembly 'System.Core,                         
        | Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'.

Connect-AzureAD: C:\Users\John\AzureADGraphApps\Get-AzureADGraphApps.ps1:173
Line |
 173 |  Connect-AzureAD
     |  ~~~~~~~~~~~~~~~
     | One or more errors occurred. (Could not load type 'System.Security.Cryptography.SHA256Cng' from
     | assembly 'System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'.): Could not
     | load type 'System.Security.Cryptography.SHA256Cng' from assembly 'System.Core, Version=4.0.0.0,
     | Culture=neutral, PublicKeyToken=b77a5c561934e089'.

Get-AzureADServicePrincipal: C:\Users\John\AzureADGraphApps\Get-AzureADGraphApps.ps1:75
Line |
  75 |      $servicePrincipals = Get-AzureADServicePrincipal -All $true
     |                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | You must call the Connect-AzureAD cmdlet before calling any other cmdlets.

InvalidOperation: C:\Users\John\AzureADGraphApps\Get-AzureADGraphApps.ps1:136
Line |
 136 |      $script:ObjectByObjectClassId['ServicePrincipal'].GetEnumerator() …
     |      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | You cannot call a method on a null-valued expression.

Environment

PS C:\Users\John\AzureADGraphApps> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.0.3
PSEdition                      Core
GitCommitId                    7.0.3
OS                             Microsoft Windows 10.0.18363
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Is Mac OS X supported?

I am attempting to run this script as indicated in the README, after having just installed PowerShell on my Mac. Is this a supported environment?

I get the following errors for missing dependencies, even though the README says:

This script has a dependancy on the Azure AD PowerShell module. When the script is run it will automatically install the dependant module if it is not already installed.

I tried running both Install-Module AzureAD and Import-Module AzureAD, but those didn't seem to help.

This is the full output of the script that I see. Please let me know if I can provide any other information :)

PS /Users/jared/Desktop> .\Get-AzureADGraphApps.ps1 | Export-Csv .\aadgraphapps.csv
Import-Module: /Users/jared/Desktop/Get-AzureADGraphApps.ps1:23                                                                                                                                                                               Line |
23 |              Import-Module $m
|              ~~~~~~~~~~~~~~~~
| Could not load file or assembly 'System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'. The system cannot find the file specified.                                                                                                                                                                                                                                                                                                                Connect-AzureAD: /Users/jared/Desktop/Get-AzureADGraphApps.ps1:173
Line |
173 |  Connect-AzureAD
|  ~~~~~~~~~~~~~~~
| The term 'Connect-AzureAD' is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.                                                                                                                                                                                                                                                          Get-AzureADServicePrincipal: /Users/jared/Desktop/Get-AzureADGraphApps.ps1:75
Line |
75 |      $servicePrincipals = Get-AzureADServicePrincipal -All $true
|                           ~~~~~~~~~~~~~~~~~~~~~~~~~~~                                                                                                                                                                                       | The term 'Get-AzureADServicePrincipal' is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was included, verify that the path is correct and                | try again.                                                                                                                                                                                                                                                                                                                                                                                                                                                                          

InvalidOperation: /Users/jared/Desktop/Get-AzureADGraphApps.ps1:136
Line |
136 |      $script:ObjectByObjectClassId['ServicePrincipal'].GetEnumerator() …
|      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| You cannot call a method on a null-valued expression.

edit: it seems like this output has no line breaks when copied from my shell, I've tried to fix it manually to improve readability.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.