forked from directorcia/Office365
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgraph-adappperm-del.ps1
119 lines (109 loc) · 6.5 KB
/
graph-adappperm-del.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
param(
[switch]$debug = $false ## if -debug parameter don't prompt for input
)
<# CIAOPS
Script provided as is. Use at own risk. No guarantees or warranty provided.
Description - Delete permissions from an Azure AD enterprise application
Source - https://github.com/directorcia/Office365/blob/master/graph-adappperm-del.ps1
Prerequisites = 1
1. Azure AD Module loaded
More scripts available by joining http://www.ciaopspatron.com
#>
## Variables
$systemmessagecolor = "cyan"
$processmessagecolor = "green"
$errormessagecolor = "red"
$warningmessagecolor = "yellow"
Clear-Host
if ($debug) {
Start-transcript "..\graph-adappperm-del.txt" | Out-Null ## Log file created in current directory that is overwritten on each run
}
write-host -foregroundcolor $systemmessagecolor "Script started`n"
write-host -foregroundcolor cyan -backgroundcolor DarkBlue ">>>>>> Copyright www.ciaops.com <<<<<<`n"
write-host "--- Script to delete app permissions from an Azure AD application in a tenant ---"
write-host -foregroundcolor $processmessagecolor "`nCheck for Azure AD PowerShell module"
if (get-module -listavailable -name AzureAD) {
## Has the AzureAD PowerShell module been loaded?
write-host -foregroundcolor $processmessagecolor "Azure AD PowerShell Module found"
}
else {
write-host -foregroundcolor $warningmessagecolor -backgroundcolor $errormessagecolor "Azure AD PowerShell Module not installed. Please install and re-run script`n"
write-host "You can install the Azure AD Powershell module by:`n"
write-host " 1. Launching an elevated Powershell console then,"
write-host " 2. Running the command,'install-module AzureAD'.`n"
Stop-Transcript | Out-Null ## Terminate transcription
Pause ## Pause to view error on screen
exit 0 ## Terminate script
}
$results = get-azureadserviceprincipal -All $true | sort-object displayname | Out-GridView -PassThru -title "Select Enterprise Application (Multiple selections permitted)"
foreach ($result in $results) { # loop through all selected options
write-host -foregroundcolor $processmessagecolor "Commencing",$result.displayname
# Get Service Principal using objectId
$sp = Get-AzureADServicePrincipal -ObjectId $results.ObjectId
# Menu selection for USer or Admin consent types
$consenttype = @()
$consenttype += [PSCustomObject]@{
Name = "Admin consent";
type = "allprincipals"
}
$consenttype += [PSCustomObject]@{
Name = "User consent";
type = "principal"
}
$consentselects = $consenttype | Out-GridView -PassThru -title "Select Consent type (Multiple selections permitted)"
foreach ($consentselect in $consentselects) { # Loop through all selected options
write-host -foregroundcolor $processmessagecolor "Commencing for",$consentselect.Name
# Get all delegated permissions for the service principal
$spOAuth2PermissionsGrants = Get-AzureADOAuth2PermissionGrant -All $true | Where-Object { $_.clientId -eq $sp.ObjectId }
$info = $spOAuth2PermissionsGrants | Where-Object { $_.consenttype -eq $consentselect.type }
if ($info) { # if there are permissions set
if ($consentselect.type -eq "principal") { # user consent
$usernames = @()
foreach ($item in $info) {
$usernames += get-azureaduser -ObjectId $item.PrincipalId
}
$selectusers = $usernames | select-object Displayname, userprincipalname, objectid | sort-object Displayname | Out-GridView -PassThru -title "Select Consent type (Multiple selections permitted)"
foreach ($selectuser in $selectusers) { # Loop through all selected options
$infoscopes = $info | Where-Object { $_.principalid -eq $selectuser.ObjectId }
write-host -foregroundcolor $processmessagecolor "`n"$consentselect.name,"permissions for user",$selectuser.displayname
foreach ($infoscope in $infoscopes) {
write-host "`nResource ID =",$infoscope.resourceid
$assignments = $infoscope.scope -split " "
foreach ($assignment in $assignments) {
write-host "-",$assignment
}
}
write-host -foregroundcolor $processmessagecolor "`nSelect items to remove`n"
$removes = $infoscopes | Select-object scope, resourceid, objectid | Out-GridView -PassThru -title "Select permissions to delete (Multiple selections permitted)"
foreach ($remove in $removes) {
Remove-AzureADOAuth2PermissionGrant -ObjectId $remove.ObjectId
write-host -foregroundcolor $warningmessagecolor "Removed consent for",$remove.scope
}
}
}
elseif ($consentselect.type -eq "allprincipals") { # Admin consent
$infoscopes = $info | Where-Object { $_.principalid -eq $null}
write-host -foregroundcolor $processmessagecolor $consentselect.name,"permissions"
foreach ($infoscope in $infoscopes) {
write-host "`nResource ID =",$infoscope.resourceid
$assignments = $infoscope.scope -split " "
foreach ($assignment in $assignments) {
write-host "-",$assignment
}
}
write-host -foregroundcolor $processmessagecolor "`nSelect items to remove`n"
$removes = $infoscopes | Select-object scope, resourceid, objectid | Out-GridView -PassThru -title "Select permissions to delete (Multiple selections permitted)"
foreach ($remove in $removes) {
Remove-AzureADOAuth2PermissionGrant -ObjectId $remove.ObjectId
write-host -foregroundcolor $warningmessagecolor "Removed consent for",$remove.scope
}
}
} else {
write-host -foregroundcolor $warningmessagecolor "`nNo",$consentselect.name,"permissions found for" ,$results.displayname,"`n"
}
}
}
Write-Host -ForegroundColor $systemmessagecolor "`nScript Finished"
if ($debug) {
Stop-transcript | Out-Null
}