Help CenterThis script connects to the Microsoft Graph API, retrieves all service principals tagged as "WindowsAzureActiveDirectoryIntegratedApp," and filters for enabled applications where app role assignments are required. It then gathers the app role assignments, including details such as AppRoleId, ResourceDisplayName, PrincipalId, PrincipalDisplayName, and PrincipalType, and exports the data to a CSV file. This provides a detailed report of app role assignments for Azure AD integrated applications, facilitating easier management and auditing.
Here is the script:
$ExportPath = "$home\Desktop\EntAppAssignment.csv"
# Connect to Microsoft Graph APIConnect-MgGraph -Scopes "Application.Read.All", "Directory.Read.All" -TenantId ""
try { # Get all service principals with tag 'WindowsAzureActiveDirectoryIntegratedApp' $allApps = Get-MgServicePrincipal -All -Filter "tags/Any(x:x eq 'WindowsAzureActiveDirectoryIntegratedApp')"
# Filter out only enabled apps $allEnabledApps = $allApps | Where-Object AccountEnabled
$output = @() foreach ($App in $allEnabledApps) { if ($App.AppRoleAssignmentRequired) { # Get app role assignments for apps with 'AppRoleAssignmentRequired' set to true $appRoleAssignments = Get-MgServicePrincipalAppRoleAssignedTo -ServicePrincipalId $App.Id | Select-Object -Property AppRoleId, ResourceDisplayName, PrincipalId, PrincipalDisplayName, PrincipalType $output += $appRoleAssignments } }
# Export the data to a CSV file $output | Export-Csv -Path $ExportPath -NoTypeInformation Write-Output "App role assignments exported to $ExportPath successfully."}catch { Write-Output "An error occurred: $($_.Exception.Message)"}