Enterprise Applications: With App Roles Assigned

Retrieve Application Roles assigned to Service Principals using a supplied AppId (ie. Microsoft Graph, AAD Graph)

PowerShell

Connect-MgGraph -Scopes @('Application.Read.All')

#region Supporting Functions
function Get-AppRolesAssignedToServicePrincipalsFromAppId {
    [CmdletBinding()]
    [OutputType([pscustomobject])]
    param
    (
        [Parameter(
            Mandatory = $true,
            ValueFromPipelineByPropertyName = $true,
            Position = 1)]
        [string] $AppId
    )
    process {
        $principal = Get-MgServicePrincipal -Filter "appId eq '$AppId'"
        $principalAppRoles = $principal.AppRoles | Group-Object -Property Id -AsHashTable
        if ($principal) {
            $appRolesAssigned = Get-MgServicePrincipalAppRoleAssignedTo `
                -ServicePrincipalId $principal.Id -All
            $appRolesAssigned | ForEach-Object {
                $appRole = $principalAppRoles[$PSItem.AppRoleId]
                $PSItem | Add-Member 'ClaimValue' $appRole.Value
                $PSItem | Add-Member 'Permission' $appRole.DisplayName
            }
            $appRolesAssigned
        }
    }
}
#endRegion
# Microsoft Graph
$msGraphAppRolesAssigned = Get-AppRolesAssignedToServicePrincipalsFromAppId `
    -AppId '00000003-0000-0000-c000-000000000000'
# Windows Azure Active Directory (AAD Graph)
$aadGraphAppRolesAssigned = Get-AppRolesAssignedToServicePrincipalsFromAppId `
    -AppId '00000002-0000-0000-c000-000000000000'
# Office 365 Exchange Online 
$o365ExoAppRolesAssigned = Get-AppRolesAssignedToServicePrincipalsFromAppId `
    -AppId '00000002-0000-0ff1-ce00-000000000000'
# Office 365 Management APIs
$o365MgmtApiRolesAssigned = Get-AppRolesAssignedToServicePrincipalsFromAppId `
    -AppId 'c5393580-f805-4401-95e8-94b7a6ef2fc2'
$msGraphAppRolesAssigned | Sort-Object PrincipalDisplayName `
| Select-Object PrincipalDisplayName, PrincipalId, ClaimValue, Permission `
| Export-Csv -Path .\msGraphAppRolesAssigned.csv -NoTypeInformation
$aadGraphAppRolesAssigned | Sort-Object PrincipalDisplayName `
| Select-Object PrincipalDisplayName, PrincipalId, ClaimValue, Permission `
| Export-Csv -Path .\aadGraphAppRolesAssigned.csv -NoTypeInformation
$o365ExoAppRolesAssigned | Sort-Object PrincipalDisplayName `
| Select-Object PrincipalDisplayName, PrincipalId, ClaimValue, Permission `
| Export-Csv -Path .\o365ExoAppRolesAssigned.csv -NoTypeInformation
$o365MgmtApiRolesAssigned | Sort-Object PrincipalDisplayName `
| Select-Object PrincipalDisplayName, PrincipalId, ClaimValue, Permission `
| Export-Csv -Path .\o365MgmtApiRolesAssigned.csv -NoTypeInformation

Dependencies

Microsoft Graph SDK for PowerShell

Install-Module Microsoft.Graph -AllowClobber -Force

Connect-MgGraph

Using the Microsoft Graph Command Line Tools Enterprise Application:

Connect-MgGraph -Scopes @('')

Using an existing Access Token:

Connect-MgGraph -AccessToken (ConvertTo-SecureString 'ey..' -AsPlainText -Force)

Using an Application Registration (Platform: Mobile and desktop applications, redirect http://localhost):

Connect-MgGraph -ClientId 'abc..' -TenantId 'abc..'

Using a ClientId and Secret (Password):

$tenantId = ''
$clientId = ''
$secret = ConvertTo-SecureString '' -AsPlainText -Force
$secretCredential = New-Object System.Management.Automation.PSCredential ($clientId, $secret)
$params = @{
    'SecretCredential' = $secretCredential
    'TenantId'         = $tenantId
}
Connect-MgGraph @params