So you’d like to know which applications are living in your AzureAD?
And you’d like to know which of those were added by your admins, and what permissions those applications have?
And you’d also like to know which applications your users are consenting to, and what rights those applications have on your users?
Look no further, I wrote a script to export all of that to Excel for you!
Apps an admin has consented to and the type of rights it needs
Apps a user has consented to and the type of rights it needs
Apps to user mapping, for an easy overview of which user has consented to which app
Get it at:
Credits to Doug Finke for the Excel module I’m using!
The Microsoft supplied Get-AzureRMADApplication Powershell cmdlet does not return all applications you can see in the Enterprise Applications and App registrations blades in Azure AD.
In addition, Get-AzureRmAdApplication also does not return information such as:
- Publisher Name
- enabled/disabled status
- if it is a MicrosoftFirstParty application
So, here’s a custom PS function to help you out: https://gitlab.com/Lieben/assortedFunctions/blob/master/get-azureRMADAllApplications.ps1
It requires a special token generated by my get-AzureRMtoken function to log in.
As usual when using unsupported API’s, be careful!
A lot of the things we can click on in the Azure Portal cannot be done through Powershell Cmdlets published by Microsoft.
However, using Fiddler, we can see that there is a ‘hidden’ API we can use, for example, to set permissions. I’ve written a ‘clean’ function to retrieve this token silently that you can use in your scripts, it is not compatible with MFA.
Please be careful using this for production workflows as this is NOT supported by Microsoft.
As I couldn’t google an answer to this one and the error was misleading, if you are using the Intune Service Connector to distribute PCKS certificates from your onprem PKI to your Intune clients and see the following error in the Connector eventlogs:
“CaName”:”PATH TO CA\\CAFriendlyName”,
“DiagnosticText”:”We are unable to complete your request because a server-side error occurred. Please try again. [Exception Message: \”DiagnosticException\”] [Exception Message: \”IssuePfx – The submission failed\”]”
And this error on your CA:
Active Directory Certificate Services could not process request 136204 due to an error: Error 0xc8000211 (ESE: -529). The request was for COMPUTERNAME. Additional information: Error Parsing Request
Ensure you restart the Active Directory Certificate Services service on your CA. This is not required as per the documentation, but was surely required in my environment.
Little snippet for those who want a really simple PS oneliner to get the display names of all groups the logged in user is directly or indirectly a member of:
([ADSISEARCHER]"(member:1.2.840.1135188.8.131.521:=$(([ADSISEARCHER]"samaccountname=$($env:USERNAME)").FindOne().Properties.distinguishedname))").FindAll().Properties.distinguishedname -replace '^CN=([^,]+).+$','$1'
You can of course replace $env:USERNAME with a parameter if you don’t want the currently logged in user.