Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- function Get-UserGraphPermissions {
- # Get members
- $groupMembers = Get-MgGroupMember -GroupId (Get-MgGroup -Filter "displayName eq 'Entra-Graph-Command-Line-Access'").Id
- # $Users = foreach ($member in $groupMembers) {
- # Get-MgUser -UserId $member.Id
- # }
- $totalUsers = $groupMembers.Count
- $results = [System.Collections.Generic.List[PSCustomObject]]::new()
- $count = 1
- foreach ($User in $groupMembers) {
- # Progress bar
- $percentComplete = ($count / $totalUsers) * 100
- Write-Progress -Activity "Processing users" -Status "Processing user $count of $totalUsers" -PercentComplete $percentComplete
- Write-Verbose "`nProcessing user $count of $totalUsers $($User.AdditionalProperties.UserPrincipalName)"
- # Extract UserIdentifier (everything before @)
- $UserIdentifier = ($User.AdditionalProperties.UserPrincipalName -split '@')[0].ToLower()
- $hasPermissions = $false
- try {
- # Get user's OAuth2 permissions
- $uri = "https://graph.microsoft.com/v1.0/users/$($User.Id)/oauth2PermissionGrants"
- $permissions = Invoke-MgGraphRequest -Uri $uri -Method Get -ErrorAction Stop
- # Get app role assignments
- $appRoleAssignments = Get-MgUserAppRoleAssignment -UserId $User.Id -ErrorAction Stop
- # Process OAuth2 permissions (delegated permissions)
- foreach ($permission in $permissions.value) {
- $scopes = $permission.scope -split ' '
- foreach ($scope in $scopes) {
- $hasPermissions = $true
- $results.Add([PSCustomObject]@{
- UserIdentifier = $UserIdentifier
- UserPrincipalName = $User.AdditionalProperties.UserPrincipalName
- PermissionType = "Delegated"
- Permission = $scope
- ResourceId = $permission.resourceId
- ClientAppId = $permission.clientId
- })
- }
- }
- # Process app role assignments (application permissions)
- foreach ($assignment in $appRoleAssignments) {
- $appRole = Get-MgServicePrincipal -ServicePrincipalId $assignment.ResourceId |
- Select-Object -ExpandProperty AppRoles |
- Where-Object { $_.Id -eq $assignment.AppRoleId }
- if ($appRole) {
- $hasPermissions = $true
- $results.Add([PSCustomObject]@{
- UserIdentifier = $UserIdentifier
- UserPrincipalName = $User.AdditionalProperties.UserPrincipalName
- PermissionType = "Application"
- Permission = $appRole.Value
- ResourceId = $assignment.ResourceId
- ClientAppId = $assignment.PrincipalId
- })
- }
- }
- # If user has no permissions, add empty row
- if (-not $hasPermissions) {
- $results.Add([PSCustomObject]@{
- UserIdentifier = $UserIdentifier
- UserPrincipalName = $User.AdditionalProperties.UserPrincipalName
- PermissionType = "NULL"
- Permission = "NULL"
- ResourceId = "NULL"
- ClientAppId = "NULL"
- })
- }
- }
- catch {
- Write-Verbose "Error processing user $($User.AdditionalProperties.UserPrincipalName): $($_.Exception.Message)"
- # Add user with empty permissions in case of error
- $results.Add([PSCustomObject]@{
- UserIdentifier = $UserIdentifier
- UserPrincipalName = $User.AdditionalProperties.UserPrincipalName
- PermissionType = "NULL"
- Permission = "NULL"
- ResourceId = "NULL"
- ClientAppId = "NULL"
- })
- }
- $count++
- }
- # Export results to CSV
- $timestamp = Get-Date -Format "yyyyMMdd-HHmmss"
- $exportPath = "c:\temp\UserGraphPermissions_$timestamp.csv"
- $results | Export-Csv -Path $exportPath -NoTypeInformation
- Write-Verbose "`nExport completed. File saved to: $exportPath"
- }
- Get-UserGraphPermissions -Verbose
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
