Full AzureAD Applications Permission overview

So you’d like to know which applications are living in your AzureAD?

And you’d like to know which of those were added by your admins, and what permissions those applications have?

And you’d also like to know which applications your users are consenting to, and what rights those applications have on your users?

Look no further, I wrote a script to export all of that to Excel for you!

Application overview

Apps an admin has consented to and the type of rights it needs

Apps a user has consented to and the type of rights it needs

Apps to user mapping, for an easy overview of which user has consented to which app

Get it at:

Credits to Doug Finke for the Excel module I’m using!

 

Retrieving ALL Azure AD registered applications that Get-AzureRMAdApplication does not return

The Microsoft supplied Get-AzureRMADApplication Powershell cmdlet does not return all applications you can see in the Enterprise Applications and App registrations blades in Azure AD.

In addition, Get-AzureRmAdApplication also does not return information such as:

  • Publisher Name
  • logoUrl
  • tags
  • enabled/disabled status
  • if it is a MicrosoftFirstParty application

So, here’s a custom PS function to help you out: https://gitlab.com/Lieben/assortedFunctions/blob/master/get-azureRMADAllApplications.ps1

It requires a special token generated by my get-AzureRMtoken function to log in.

As usual when using unsupported API’s, be careful!

Retrieving a headless silent token for main.iam.ad.ext.azure.com using Powershell

A lot of the things we can click on in the Azure Portal cannot be done through Powershell Cmdlets published by Microsoft.

However, using Fiddler, we can see that there is a ‘hidden’ API we can use, for example, to set permissions. I’ve written a ‘clean’ function to retrieve this token silently that you can use in your scripts, it is not compatible with MFA.

https://gitlab.com/Lieben/assortedFunctions/blob/master/get-azureRMtoken.ps1

Please be careful using this for production workflows as this is NOT supported by Microsoft.

UPDATE: Newer / mfa compatible version of this function

IssuePfx – The submission failed error Intune to PKI connector

As I couldn’t google an answer to this one and the error was misleading, if you are using the Intune Service Connector to distribute PCKS certificates from your onprem PKI to your Intune clients and see the following error in the Connector eventlogs:

{

“Metric”:{

“Dimensions”:{

“UserId”:”c659cd5a-86e5-4733-ae58-55a896f63d53″,

“DeviceId”:”4cec597c-cd90-4077-b6c0-612a213353ef”,

“CaName”:”PATH TO CA\\CAFriendlyName”,

“TemplateName”:”Intune”,

“ElapsedMilliseconds”:”786″,

“AgentId”:”1af3469a-ef31-cfd2-3bfc-cba69a6d215d”,

“DiagnosticCode”:”0x0FFFFFFF”,

“DiagnosticText”:”We are unable to complete your request because a server-side error occurred. Please try again. [Exception Message: \”DiagnosticException\”] [Exception Message: \”IssuePfx – The submission failed\”]”

},

“Name”:”PkcsCertIssue_Failure”,

“Value”:0

}

}

And this error on your CA:

EventId 22:

Active Directory Certificate Services could not process request 136204 due to an error: Error 0xc8000211 (ESE: -529).  The request was for COMPUTERNAME.  Additional information: Error Parsing Request

Ensure you restart the Active Directory Certificate Services service on your CA. This is not required as per the documentation, but was surely required in my environment.

Getting ALL (nested) groups a user is a member of in Active Directory by samaccountname

Little snippet for those who want a really simple PS oneliner to get the display names of all groups the logged in user is directly or indirectly a member of:

([ADSISEARCHER]"(member:1.2.840.113556.1.4.1941:=$(([ADSISEARCHER]"samaccountname=$($env:USERNAME)").FindOne().Properties.distinguishedname))").FindAll().Properties.distinguishedname -replace '^CN=([^,]+).+$','$1'
You can of course replace $env:USERNAME with a parameter if you don’t want the currently logged in user.