Created
March 4, 2024 21:05
-
-
Save HCRitter/8bfdb85a251d2f1afd1f7cf7910ef25b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #How to migrate from AAP to RBAC | |
| #region basic connects | |
| $connectMgGraphSplat = @{ | |
| Scopes = @( | |
| 'AppRoleAssignment.ReadWrite.All', | |
| 'Application.ReadWrite.All', | |
| 'User.Read.All' | |
| ) | |
| NoWelcome = $true | |
| } | |
| Connect-MgGraph @connectMgGraphSplat | |
| Connect-ExchangeOnline -ShowBanner:$false | |
| #endregion | |
| #region Get all app-registrations (MS Graph) including permissions | |
| $AppRoles = (Get-MgServicePrincipal -All | | |
| Where-Object AppId -eq '00000003-0000-0000-c000-000000000000' | |
| ).AppRoles | |
| $APPlications = Get-MgApplication | Foreach-Object { | |
| [PSCustomObject]@{ | |
| DisplayName = $_.DisplayName | |
| AppId = $_.AppId | |
| ID = $_.ID | |
| ServicePrincipalID = $ServicePrincipalID = (Get-MgServicePrincipalByAppId -AppId $_.AppId).ID | |
| Scopes = $((Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ServicePrincipalID).AppRoleId.ForEach({ | |
| ($AppRoles | Where-Object Id -eq $_).Value | |
| })) | |
| } | |
| } | |
| #endregion | |
| #region enrich the data with the security state | |
| $AppRoles = (Get-MgServicePrincipal -All | Where-Object AppId -eq '00000003-0000-0000-c000-000000000000').AppRoles | |
| $APPlications = $(foreach($App in $(Get-MgApplication)){ | |
| # Get the Service Principal ID for the current application | |
| $ServicePrincipalID = (Get-MgServicePrincipalByAppId -AppId $App.AppId).ID | |
| # Get the AppRoles assigned to the Service Principal and convert them to their corresponding values | |
| $Scopes = $((Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ServicePrincipalID).AppRoleId.ForEach({ | |
| ($AppRoles | Where-Object Id -eq $_).Value | |
| })) | |
| # Check if the application has scopes related to mail, contacts, calendar, or mailbox settings | |
| if($Scopes -match "mail.|contacts.|calendar.|mailboxsettings."){ | |
| # Create a custom object with relevant information about the application's security state | |
| [PSCustomObject]@{ | |
| DisplayName = $App.DisplayName | |
| AppId = $App.AppId | |
| ID = $App.ID | |
| ServicePrincipalID = $ServicePrincipalID | |
| Scopes = $Scopes | |
| ApplicationAccessPolicyActive = -not [string]::IsNullOrEmpty(@(Get-ApplicationAccessPolicy | Where-Object AppID -eq $App.AppID)) | |
| RBACForApplicationActive = -not [string]::IsNullOrEmpty(@(Get-ManagementRoleAssignment | Where-Object App -eq $ServicePrincipalID)) | |
| } | |
| } | |
| }) | |
| #endregion | |
| #region add application scoping (RBAC and AAP) to the data | |
| $AppRoles = (Get-MgServicePrincipal -All | Where-Object AppId -eq '00000003-0000-0000-c000-000000000000').AppRoles | |
| $APPlications = $(foreach($App in $(Get-MgApplication)){ | |
| # Get the Service Principal ID for the current application | |
| $ServicePrincipalID = (Get-MgServicePrincipalByAppId -AppId $App.AppId).ID | |
| # Get the AppRoles assigned to the Service Principal and convert them to their corresponding values | |
| $Scopes = $((Get-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $ServicePrincipalID).AppRoleId.ForEach({ | |
| ($AppRoles | Where-Object Id -eq $_).Value | |
| })) | |
| # Check if the application has scopes related to mail, contacts, calendar, or mailbox settings | |
| if($Scopes -match "mail.|contacts.|calendar.|mailboxsettings."){ | |
| # Create a custom object with relevant information about the application's security state | |
| $ApplicationAccessPolicy = Get-ApplicationAccessPolicy | Where-Object AppID -eq $App.AppID | |
| $ManagmentRoleAssignment = Get-ManagementRoleAssignment | Where-Object App -eq $ServicePrincipalID | |
| [PSCustomObject]@{ | |
| DisplayName = $App.DisplayName | |
| AppId = $App.AppId | |
| ID = $App.ID | |
| ServicePrincipalID = $ServicePrincipalID | |
| Scopes = $Scopes | |
| ApplicationAccessPolicy = if([string]::IsNullOrEmpty(@($ApplicationAccessPolicy))){$Null}else{ | |
| [PSCustomObject]@{ | |
| isActive = $true | |
| ScopeIdentity = $ScopeIdentity = $ApplicationAccessPolicy.ScopeIdentity | |
| Targets = Get-DistributionGroup -identity $ScopeIdentity | get-DistributiongroupMember | |
| } | |
| } | |
| RBACForApplication = if([string]::IsNullOrEmpty(@($ManagmentRoleAssignment))){$Null}else{ | |
| [PSCustomObject]@{ | |
| isActive = $true | |
| Role = $ManagmentRoleAssignment.Role | |
| RoleAssignee = $ManagmentRoleAssignment.RoleAssignee | |
| CustomResourceScope = $ManagmentRoleAssignment.CustomResourceScope | |
| ManagementScopeRecipientFilter = (Get-ManagementScope -identity $ManagmentRoleAssignment.CustomResourceScope).RecipientFilter | |
| } | |
| } | |
| } | |
| } | |
| }) | |
| #endregion |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Christian, try
$AppRoles = (Get-MgServicePrincipalByAppId -AppId '00000003-0000-0000-c000-000000000000').AppRoles
Also Line 23
$APPlications = Get-MgApplication -All | Foreach-Object {