Category Archives: M365Permissions

Automation, Exchange Online, Identity, M365Permissions, Microsoft Teams, Office 365, OneDrive for Business, PowerBI, Powershell, Security, Sharepoint Online

M365Permissions v1.1.5

Leave a comment

1.1.5 brings some initial improvements to prepare for Managed Identities and fully automates creating a Service Principal (unattended/automated scanning).

But, that isn’t entirely finished yet. However, since my target platforms are Automation Accounts and Azure Functions, which are heavily memory-constricted, I’ve focused on reducing the module’s memory footprint and further enhancing performance. The module now uses up to 80% less memory at no cost to scan speed!

I’ve described how to first set up a service principal in a separate post.

Full changelog:

  • [Feature] Add application and policy scanning
  • [Feature] Scan Entra Users in batches
  • [Feature] Improve memory usage
  • [Feature] Use tenant specific report folder
  • [Feature] Make logLevel configurable
  • [Feature] Experimental Managed Identity support
  • [Feature] Automatically handle Sharepoint Site Locks
  • [Feature] Automatically deduplicate and diff all reports
  • [Feature] Add objectId’s to report where useful
  • [Feature] Display calculated remaining scan time
  • [Feature] Service Principal create function
  • [Feature] Improved changed detection (e.g. ignore display name changes)
  • [BugFix] Respect verbose settings in child jobs
  • [BugFix] For english permission descriptions to avoid diff issues

Download / Use:

M365Permissions module page | Github | PSGallery

Automation, M365Permissions, PowerBI

Allowing a Service Principal to Scan PowerBI

2 Comments

PowerBI’s admin-level API’s are not enabled at the OAuth / Entra level, but need to be enabled in the PowerBI Admin Center before you can use M365Permissions to scan all your PowerBI resources for access.

  1. Go to the Entra portal and create a security group, e.g. ‘PowerBISPNAccess’
  2. Add your service principal to the new group (you can find it under Enterprise Applications):
  1. Go to the PowerBI portal and search for ‘service principals can access’ and configure as follows:
Automation, Exchange Online, Identity, M365Permissions, Microsoft Teams, Office 365, OneDrive for Business, PowerBI, Powershell, Security, Sharepoint Online

M365Permissions v1.1.4

9 Comments

1.1.4 finally brings unattended scanning using a service principal!

I’ve described how to first set up a service principal in a separate post.

Full changelog:

  • [Feature] Add SPN scanning
  • [Feature] Configurable connection method
  • [Feature] Scan PowerBI gateways
  • [Feature] Scan PowerBI Lakehouses and Warehouses
  • [Feature] Add view config function
  • [Feature] Client cert creation function
  • [BugFix] Fix diff scanning path issue
  • [BugFix] Exclude modified field when detecting changes

Download / Use:

M365Permissions module page | Github | PSGallery

EntraID, M365Permissions

Scanning unattended using a Service Principal

2 Comments

If you want to use the M365Permissions module in unattended (or headless) mode, e.g. from a runbook or on a server as scheduled task, you’ll need to create an app registration in Entra with sufficient permissions to scan your tenant.

Setup instructions (automated)

  1. Install the module using Install-Module -Name M365Permissions -Force
  2. Load the module using Import-Module -Name M365Permissions
  3. Create a service principal using Set-ScanPermissions -switchToSPNAuth -appName "M365Permissions (AppOnly)"
  4. Run Connect-M365 -ServicePrincipal
  5. Start a scan (e.g. using get-allM365Permissions)
  6. Scroll down if you also want to scan PowerBI

Setup instructions (manual)

  1. Go to https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/CreateApplicationBlade/quickStartType~/null/isMSAApp~/false
  2. Decide on a name and click Register
  3. Go to API permissions and enter as follows:
  1. Don’t forget to click ‘Grant admin consent’
  2. Note down the ‘Application (client) id’ and ‘Directory (tenant) id’ from the ‘Overview’ page
  3. run the new-SpnAuthCert command from the M365Permissions module, it will output a .cer file. Make sure to use the tenant ID from step 5.
  4. The PFX file has to be imported on any machine you wish to run the module on, except for the machine where you ran the new-SpnAuthCert command.
  5. Go to ‘Certificates & secrets’ and upload the .cer file
  1. Go to the Roles and Administrators in Entra and select the Global Administrator role.
  2. Add the new app registration to the global administrator role:
  1. Run set-M365PermissionsConfig -LCTenantId <tenant ID> -LCClientId <client id> with the values from step 5 to configure the module to use your new SPN to log in.
  2. Alternatively, you can configure the LCTENANTID and LCCLIENTID environment variables with above information.
  3. If you also configure the LCAUTHMODE environment variable with a value of “ServicePrincipal”, the module will log in to your tenant fully automatically the moment it is imported.
  4. If you’re running interactively, you can now use connect-M365 -ServicePrincipal before running a scan to use the SPN instead of delegated authentication

Scanning PowerBI

If you also want to include PowerBI in your scans, you’ll have to authorize the service principal.

PFX certificate location

If you want to run from an automation account, Azure function etc, for now you’ll have to retrieve the .pfx file dynamically and install it before the module loads because the module looks in the local certificate store for a certificate with your tenant ID as subject.

I will consider adding support for Managed Identities in the future to make this simpler, and possibly also add keyvault integration or direct path configuration an option.

Restrictions

When scanning as service principal, you cannot scan:

  • Graph Subscriptions
  • PowerBI Gateways

You’ll see a warning in the logs about this as they’ll automatically be excluded.

Setup instructions (automated)

to be added in a future version

Automation, Exchange Online, Identity, M365Permissions, Microsoft Teams, Office 365, OneDrive for Business, PowerBI, Powershell, Security, Sharepoint Online

M365Permissions v1.1.3

2 Comments

Well, a lot to share today! 36 commits with plenty of quality of life stuff, and some nice new features such as automatic retry of jobs when scanning multiple sources (e.g. all mailboxes). Since retrying runs the risk of getting duplicate results in the report, I’ve also added a deduplication function. Also handy for those of you who run over time and add to the same report file or want to merge reports but don’t want to deduplicate manually.

File based caching should also further improve runs over larger environments that take more than a few hours.

Full changelog:

Download / Use:

M365Permissions module page | Github | PSGallery