Forked from HCRitter/Azure Community Enthusiasts 4th March 2024 Event.ps1
Last active
March 4, 2024 22:38
-
-
Save AlanFlorance/2bc52087eb7fddb9f584145d017c5791 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #How to migrate from AAP to RBAC | |
| #region basic connects | |
| $connectMgGraphSplat = @{ | |
| Scopes = @( | |
| 'AppRoleAssignment.ReadWrite.All', | |
| 'Application.ReadWrite.All', | |
| 'User.Read.All' | |
| ) | |
| NoWelcome = $true | |
| } | |
| Connect-MgGraph @connectMgGraphSplat | |
| Connect-ExchangeOnline -ShowBanner:$false | |
| #endregion | |
| #region Get all app-registrations (MS Graph) including permissions | |
| <# | |
| $AppRoles = (Get-MgServicePrincipal -All | | |
| Where-Object AppId -eq '00000003-0000-0000-c000-000000000000' | |
| ).AppRoles | |
| #> | |
| $AppRoles = (Get-MgServicePrincipalByAppId -AppId '00000003-0000-0000-c000-000000000000').AppRoles | |
| $APPlications = Get-MgApplication -All | Foreach-Object { | |
| [PSCustomObject]@{ | |
| DisplayName = $_.DisplayName | |
| AppId = $_.AppId | |
| ID = $_.ID | |
| ServicePrincipalID = $ServicePrincipalID = (Get-MgServicePrincipalByAppId -AppId $_.AppId).ID | |
| Scopes = $((Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ServicePrincipalID).AppRoleId.ForEach({ | |
| ($AppRoles | Where-Object Id -eq $_).Value | |
| })) | |
| } | |
| } | |
| #endregion | |
| #region enrich the data with the security state | |
| #$AppRoles = (Get-MgServicePrincipal -All | Where-Object AppId -eq '00000003-0000-0000-c000-000000000000').AppRoles | |
| $AppRoles = (Get-MgServicePrincipalByAppId -AppId '00000003-0000-0000-c000-000000000000').AppRoles | |
| $APPlications = $(foreach($App in $(Get-MgApplication)){ | |
| # Get the Service Principal ID for the current application | |
| $ServicePrincipalID = (Get-MgServicePrincipalByAppId -AppId $App.AppId).ID | |
| # Get the AppRoles assigned to the Service Principal and convert them to their corresponding values | |
| $Scopes = $((Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ServicePrincipalID).AppRoleId.ForEach({ | |
| ($AppRoles | Where-Object Id -eq $_).Value | |
| })) | |
| # Check if the application has scopes related to mail, contacts, calendar, or mailbox settings | |
| if($Scopes -match "mail.|contacts.|calendar.|mailboxsettings."){ | |
| # Create a custom object with relevant information about the application's security state | |
| [PSCustomObject]@{ | |
| DisplayName = $App.DisplayName | |
| AppId = $App.AppId | |
| ID = $App.ID | |
| ServicePrincipalID = $ServicePrincipalID | |
| Scopes = $Scopes | |
| ApplicationAccessPolicyActive = -not [string]::IsNullOrEmpty(@(Get-ApplicationAccessPolicy | Where-Object AppID -eq $App.AppID)) | |
| RBACForApplicationActive = -not [string]::IsNullOrEmpty(@(Get-ManagementRoleAssignment | Where-Object App -eq $ServicePrincipalID)) | |
| } | |
| } | |
| }) | |
| #endregion | |
| #region add application scoping (RBAC and AAP) to the data | |
| #$AppRoles = (Get-MgServicePrincipal -All | Where-Object AppId -eq '00000003-0000-0000-c000-000000000000').AppRoles | |
| $AppRoles = (Get-MgServicePrincipalByAppId -AppId '00000003-0000-0000-c000-000000000000').AppRoles | |
| $APPlications = $(foreach($App in $(Get-MgApplication)){ | |
| # Get the Service Principal ID for the current application | |
| $ServicePrincipalID = (Get-MgServicePrincipalByAppId -AppId $App.AppId).ID | |
| # Get the AppRoles assigned to the Service Principal and convert them to their corresponding values | |
| $Scopes = $((Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ServicePrincipalID).AppRoleId.ForEach({ | |
| ($AppRoles | Where-Object Id -eq $_).Value | |
| })) | |
| # Check if the application has scopes related to mail, contacts, calendar, or mailbox settings | |
| if($Scopes -match "mail.|contacts.|calendar.|mailboxsettings."){ | |
| # Create a custom object with relevant information about the application's security state | |
| $ApplicationAccessPolicy = Get-ApplicationAccessPolicy | Where-Object AppID -eq $App.AppID | |
| $ManagmentRoleAssignment = Get-ManagementRoleAssignment | Where-Object App -eq $ServicePrincipalID | |
| [PSCustomObject]@{ | |
| DisplayName = $App.DisplayName | |
| AppId = $App.AppId | |
| ID = $App.ID | |
| ServicePrincipalID = $ServicePrincipalID | |
| Scopes = $Scopes | |
| ApplicationAccessPolicy = if([string]::IsNullOrEmpty(@($ApplicationAccessPolicy))){$Null}else{ | |
| [PSCustomObject]@{ | |
| isActive = $true | |
| ScopeIdentity = $ScopeIdentity = $ApplicationAccessPolicy.ScopeIdentity | |
| Targets = Get-DistributionGroup -identity $ScopeIdentity | get-DistributiongroupMember | |
| } | |
| } | |
| RBACForApplication = if([string]::IsNullOrEmpty(@($ManagmentRoleAssignment))){$Null}else{ | |
| [PSCustomObject]@{ | |
| isActive = $true | |
| Role = $ManagmentRoleAssignment.Role | |
| RoleAssignee = $ManagmentRoleAssignment.RoleAssignee | |
| CustomResourceScope = $ManagmentRoleAssignment.CustomResourceScope | |
| ManagementScopeRecipientFilter = (Get-ManagementScope -identity $ManagmentRoleAssignment.CustomResourceScope).RecipientFilter | |
| } | |
| } | |
| } | |
| } | |
| }) | |
| #endregion |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment