HOWTO: Get an overview of Azure AD Application Permissions

Azure Active Directory

Applications in Azure AD offer people access to functionality that is integrated into your Azure AD tenant. The default behavior in Azure AD is that everyone can register applications and grant access to their data to applications. Microsoft now offers functionality to streamline the process of application management.

When onboarding to this new functionality, admins regain control over application permissions and get a handle on application permissions going forward. However, how do you, as an admin, get an overview of Azure AD application permissions set by your colleagues in the past?

 

Getting ready

First, we need to install the Windows PowerShell modules we need. Perform the following lines of Windows PowerShell in an elevated Windows PowerShell session:

Install-Module AzureAD -Force

Install-Module MSOnline -Force

Install-PackageProvider NuGet -Force

Install-Module PowerShellGet -Force

&(Get-Process -Id $pid).Path -Command { Install-Module MSAL.PS }

Install-Module AzureADIncidentResponse

 

Note:
We need to install both the AzureAD and MSOnline modules, as the output of these modules differs. This is the state of Azure AD PowerShell today. The above lines update the PowerShell modules, if you don’t run the latest versions.

Note:
If you receive error ‘Unable to download’ when you try to install the AzureAD or MSOnline PowerShell Module, use these steps to resolve the situation.

 

Getting Azure AD Application Permissions

Microsoft shared its Azure AD Incident Response Windows PowerShell module on the PowerShell Gallery. Using the cmdlets in this Windows PowerShell module, we can easily get an overview of Azure AD Application Permissions.

Run the following lines of Windows PowerShell to do so:

Import-Module AzureADIncidentResponse

Import-Module AzureADIncidentResponse (click for original screenshot)

Connect-AzureADIR <YourTenantId>

Sign in with an account with sufficient permissions to read application permissions within your Azure AD tenant. This account must be assigned the built-in Global Administrator, Global Reader, Application Administrator, Cloud Application Administrator, Directory Readers, Hybrid Identity Administrator and/or Security Administrator role.

Get-AzureADIRPermission <YourTenantId> | Out-GridView

 

These lines of Windows PowerShell result in a GridView window displaying the PermissionType for the permission (typically delegated), ClientObjectId, ClientDisplayName and ClientAppId for the application, ClientAppOwnerTenantId, ResourceObjectId, ResourceDisplayName, ResourceAppId and ResourceAppOwnerTenantId for the resource (typically Microsoft Graph or Windows Azure Active Directory), Permission and ConsentType for the permission granted and finally PrincipalObjectId, PrincipalDisplayName and PrincipalUserPrincipalName for the object that is specifically delegated permissions (if ConsentType is not AllPrincipals).

This information can be used to:

  • Find out more information per application, based on the ClientAppId and ClientAppOwnerTenantId.
  • Seek out applications where only a few people have consented to, but to which no admin provided admin consent.
  • Seek out dangerous permissions delegated to applications, beyond the typical User.Read, email, profile, offline_access and openid permissions.

 

Concluding

While initially conceived as an incident response tool, Microsoft's Azure AD Incident Response Windows PowerShell module proves useful for many other investigations.

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.