Microsoft Teams permission auditing

I lied, not just Teams, also Sharepoint and Onedrive!

As I am asked often how to report on specific permissions granted to individual (groups) of (internal/external) users….and Microsoft doesn’t have a good built-in solution, nor does the community seem to yet….this something was just asking to be coded!

My TeamPermissions PowerShell module will do exactly the above, a full report in XLSX, CSV or HTML format that contains ALL unique permissions for a given Team, Sharepoint site or Onedrive location for all files, folders, lists, list items etc. Example:

It uses the safe Entra Delegated Permission Flow for authentication so your credentials/tokens stay with you, but this does mean you have to run it as a Sharepoint Administrator (or Global Admin), there is no support for MI/SPN runs yet but can be added easily if there is much demand.

Since it exports to Excel in append mode, you could run it for multiple (or all) team sites and use e.g. Pivots to view all permissions for a given user.

Do note that although some work has been done on performance, it does not scan multiple locations in parallel yet, this will be added in a future version.

Example:

Install-PSResource -Name TeamPermissions -Repository PSGallery

#then get xlsx/html reports for the INT-Finance Department Team:

Get-TeamPermissions -teamName "INT-Finance Department" -ExpandGroups -OutputFormat XLSX,HTML

#Or get all permission for a Sharepoint site:

Get-TeamPermissions -TeamSiteUrl "https://tenant.sharepoint.com/sites/site" -ExpandGroups -OutputFormat Default

Notes

Required PS modules: PnP.PowerShell, ImportExcel

Running multiple times will append data if you don’t move the (xlsx, csv, html) file, turning the report into a multi-location report.

Managed Identity auth against PowerBi Rest API’s

on https://learn.microsoft.com/en-us/rest/api/power-bi/ I couldn’t (easily) find if Managed Identities are supported when using the PowerBI rest API, especially the ‘asadmin’ parts.

The documentation also doesn’t really show (or I couldn’t find it), for what audience to request a token. Using a Logic App I eventually got it to work after a lot of trial and error 🙂

For those googling this, I encountered a bunch of these first before finding the right audience of ‘https://api.fabric.microsoft.com’

Http request failed as there is an error getting AD OAuth token: ‘AADSTS500011: The resource principal named https://api.fabric.microsoft.com/.default was not found in the tenant named XXXXX. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

Http request failed as there is an error getting AD OAuth token: ‘AADSTS500011: The resource principal named https://api.powerbi.com was not found in the tenant named XXX

Http request failed as there is an error getting AD OAuth token: ‘AADSTS500011: The resource principal named https://analysis.windows.net/powerbi/api/.default was not found in the tenant named XXX

Http request failed as there is an error getting AD OAuth token: ‘AADSTS500011: The resource principal named https://analysis.windows.net was not found in the tenant named XXX